Question : rbac and su on aix

An easy cake for you wmp :-)

I used to su - 'user' with sudo without type any password, now I have disabled sudo and a user (with rbac roles) can su - 'user' but it asks for passwd.

Question:
With sudo disabled, can a user inside rbac su - 'other_user' without type passwd?

Answer : rbac and su on aix

I'm here, don't worry!

It's not that easy as it might look at first sight.

'su' is one of those commands with accessauths "ALLOW_ALL", and those commands use to
query the real userid of the user executing the command, and only real UID '0' can su without password.

So you will have to do several things:

- Create a new User-defined Authorization, call it e.g. "UserSU" (or the like)
- Add this authorization to a role given exclusively to those users to be allowed to 'su' without password (or create a new role).
- Customize the entry for '/usr/bin/su' in privcmds by changing accessauths to "UserSU" instead of "ALLOW_ALL" and by adding "ruid = 0"

Best use 'smitty rbac' for the above, and don't forget 'setkst' when done.

Now if one of the authorized users switches to the role you enhanced (or created) above he/she will then be able to 'su' without password.

Be careful, and don't give the authorization to switch to that role to just anybody, because there is no means (NO MEANS!) to forbid su'ing to root!!

Good ol' sudo ...

wmp

Random Solutions

Server 2003 Shutdown without Login

Dreamweaver deployment view questions.

Incomplete result for DNS queries

Strange SQL Error

Sonicwall rule to block DHCP traffic between two site-to-site

msoutlook 2007 data file do not compress

Cisco ASA 5505 with AIP-SSC-5 card

Windows Authentication with User and Roles management in SQL Server

exchange 2003 and ISA 2006 certificate renew - RPC-HTTPS not working

COUNT_variable Error