分类:
2008-12-01 10:58:40
增强 RBAC(Role Based Access Control,基于角色的访问控制)是AIX 6 的安全新特性。使用RBAC对用户权限的控制颗粒度可以做得很细,所以这个东西还是很有用的。由于RBAC相关命令都是新命令,不太好记,要用的时候却想不起来了,所以决定根据常见的需求,通通写成可重复使用的脚本。
1、查看具有角色的所有用户
lsrole -f -a dfltmsg ALL; lsuser -a default_roles roles ALL |grep -v "roles=$"
命令结果示例:
# lsrole -f -a dfltmsg ALL; lsuser -a default_roles roles ALL |grep -v "roles=$"
AccountAdmin:
dfltmsg=User and Group Account Administration
BackupRestore:
dfltmsg=Backup and Restore Administration
DomainAdmin:
dfltmsg=Remote Domain Administration
FSAdmin:
dfltmsg=File System Administration
SecPolicy:
dfltmsg=Security Policy Administration
SysBoot:
dfltmsg=System Boot Administration
SysConfig:
dfltmsg=System Configuration Administration
isso:
dfltmsg=Information System Security Officer
sa:
dfltmsg=System Administrator
so:
dfltmsg=System Operator
mawt2: default_roles=sa roles=sa
#
相关命令:
for i in `lsuser -a ALL`; do (rolelist -u $i | grep . && print $i"\n") ;done
chuser roles=sa,isso mawt3
chuser roles=sa mawt2
chuser default_roles=sa roles=sa mawt2
chuser default_roles= roles= mawt2
$ rolelist
sa System Administrator
$ rolelist -e
sa System Administrator
$
2、查看某角色所能执行的所有命令
ROLE=sa #此处填角色名。填isso、sa、so的话,它们的子角色所能执行的命令也能列出来。
x() {
ROLE=$1
AUTHS=`lsrole -a authorizations $ROLE|awk -F= '{print $2}' |sed 's/,/|/g'`
lssecattr -c -a accessauths ALL | egrep "$AUTHS"
ROLELIST=`lsrole -a rolelist $ROLE|awk -F= '{print $2}' |sed 's/,/ /g'`
[[ a"$ROLELIST" == a ]] && return || for i in $ROLELIST; do (echo '##rolelist '$i; x $i);done
}
x $ROLE
命令结果示例:
# ROLE=SysBoot
# x() {
> ROLE=$1
> AUTHS=`lsrole -a authorizations $ROLE|awk -F= '{print $2}' |sed 's/,/|/g'`
> lssecattr -c -a accessauths ALL | egrep "$AUTHS"
> ROLELIST=`lsrole -a rolelist $ROLE|awk -F= '{print $2}' |sed 's/,/ /g'`
> [[ a"$ROLELIST" == a ]] && return || for i in $ROLELIST; do (echo '##rolelist '$i; x $i);done
> }
# x $ROLE
/usr/bin/chauthent accessauths=aix.system.boot.create
/usr/bin/mksysb accessauths=aix.system.boot.create
/usr/lib/boot/bin/bootinfo_chrp accessauths=aix.system.boot.info
/usr/sbin/bootinfo accessauths=aix.system.boot.info
/usr/sbin/bosboot accessauths=aix.system.boot.create
/usr/sbin/exec_shutdown accessauths=aix.system.boot.shutdown
/usr/sbin/fastboot accessauths=aix.system.boot.reboot
/usr/sbin/fasthalt accessauths=aix.system.boot.halt
/usr/sbin/halt accessauths=aix.system.boot.halt
/usr/sbin/reboot accessauths=aix.system.boot.reboot
/usr/sbin/savebase accessauths=aix.system.boot.create
/usr/sbin/shutdown accessauths=aix.system.boot.shutdown
#
相关命令:
chuser roles=sa mawt2
chfs -a size=+1M /tmp
# lsrole -a rolelist sa
sa rolelist=FSAdmin,AccountAdmin
# lsrole -a rolelist ALL
AccountAdmin rolelist=
BackupRestore rolelist=
DomainAdmin rolelist=
FSAdmin rolelist=
SecPolicy rolelist=
SysBoot rolelist=
SysConfig rolelist=
isso rolelist=DomainAdmin,SecPolicy,SysConfig
sa rolelist=FSAdmin,AccountAdmin
so rolelist=BackupRestore,SysBoot
#
说明:sa rolelist=FSAdmin,AccountAdmin表明sa有两个子角色:FSAdmin,AccountAdmin。子角色所能执行的命令,父角色也能执行。
========================================================================
任何形式的转载,请写明出处:
email:
blog: http://www.cublog.cn/u/739/
========================================================================
