Problem
You want to change euid or ruid for a process, for example, the snippet below tries to start bash as user oracle executed by user grid:
[grid] $ python3 -c 'import os; import pwd; import sys; import subprocess; uid=pwd.getpwnam("oracle").pw_uid; os.setreuid(uid,uid); retval = subprocess.run(["bash", "--norc"]).returncode; sys.exit(retval);'
Traceback (most recent call last):
File "<string>", line 1, in <module>
PermissionError: [Errno 1] Not owner
Though executing the same snippet as user root succeeds
Solution
AIX 7.2 provides Role Based Access Control (RBAC) mechanisms which allows to control certain security aspects of a system.
In particular, RBAC allows to grant privileges to users, roles and process to perform certain actions
To allow a process to call setreuid() run as root:
# setsecattr -c accessauths=ALLOW_ALL innateprivs=PV_DAC_O,PV_DAC_UID secflags=FSF_EPS euid=0 egid=0 /opt/bin/python3.7
# setkst
Note. Aliases not accepted by setsecatt, only direct executables
[grid] $ python3 -c 'import os; import pwd; import sys; import subprocess; uid=pwd.getpwnam("oracle").pw_uid; os.setreuid(uid,uid); retval = subprocess.run(["bash", "--norc"]).returncode; sys.exit(retval);'
[oracle] $
Reference:
No comments:
Post a Comment