Ken Karasek wrote:
>
> James, I am one of the unfortunate NetView administrators that belongs to a
> shop that has a dedicated UNIX system administration unit and that does not
> grant root access to any one outside the sysadmin unit. I know.. I know...
> you don't need to say it... lived it , been there. Because one user among
> thousands of us found a back door in AIX and used it, all access has been
> severely limited.
>
> Since I have this constraint, can you provide a list of directories,
> commands, and/or files that I can request "sudo" access to in the event of
> required or perceived maintenance or troubleshooting. I currently have a
> small access list going, but I am constantly requesting additional sudo
> access as I run into problems with permission rights. It's not likely, but
> this has led me to request sudo to everything but starting a root shell.
> These requests are not always filled in a timely manner and can be very
> frustrating while I am on the phone with support and I am not able to
> access specific directories and/or files. I would like to address this
> problem as an opportunity to build "sudo" now so I can reduce my access
> problem when it is most needed. I realize that you could only provide
> NV/6000 information, but any insight you could provide from the wealth of
> product knowledge you have would be greatly appreciated.
>
> Thank you.
>
There are two other approaches that come to mind.
1. AIX (and several other flavors of UNIX, such as HPUX) support
extended (aka. POSIX) ACLs on files.
The commands on AIX are acledit, aclget, and aclput. You can use these
to grant specific access to multiple users. I have used these in the
past, to get around this problem.
Now the caveat.
If you set the ACL, and then perform a chmod (or use any utility that
uses the equivalent system calls)
the extended ACL support gets disabled. You have to be really careful,
because these utilities could include something like tar, or restore.
This is enough of problem that you might want to have a script
launchable from sudo to make sure these are set appropriately.
2. Another (possibly more elegant approach) would be to use taintperl
(if you're perl4) or a SetUid perl5 script (with the appropriate
security).
chris.cowan.vcf
Description: Card for Chris Cowan
|