Question : rbac and su on aix

An easy cake for you wmp :-)

I used to su - 'user' with sudo without type any password, now I have disabled sudo and a  user (with rbac roles) can su - 'user' but it asks for passwd.

Question:
With sudo disabled, can a user inside rbac su - 'other_user' without type passwd?

Answer : rbac and su on aix

I'm here, don't worry!

It's not that easy as it might look at first sight.

'su' is  one of those commands with  accessauths  "ALLOW_ALL",  and those commands use to
query the real userid of the user executing the command, and only real  UID '0' can su without password.

 So you will have to do several things:

 - Create a new User-defined Authorization, call it e.g. "UserSU" (or the  like)
- Add this authorization to a role given exclusively to those users to  be allowed to 'su' without password (or create a new role).
- Customize the entry for '/usr/bin/su' in privcmds by changing  accessauths to "UserSU" instead of "ALLOW_ALL"
and by adding "ruid = 0"

Best use 'smitty rbac' for the above, and don't forget 'setkst' when done.

Now if one of the authorized users switches to the role you enhanced (or created) above he/she will then be able to 'su' without password.

Be careful, and don't give the authorization to switch to that role to just anybody, because there is no means (NO MEANS!) to forbid su'ing to root!!

Good ol' sudo ...

wmp
Random Solutions  
 
programming4us programming4us