继《AIX 6 RBAC学习记录一》，本文专注于分析：要使某用户能运行某命令，需要分配给他什么样的角色。

3、查看“运行某命令”所需要的角色（命令在RBAC特权命令数据库中）
CMD=cfgmgr #此处写cfgmgr、/usr/sbin/cfgmgr都可以
x() {
CMD=`which $1`|| return
AUTH=`lssecattr -c -a accessauths $CMD | awk -F= '{print $2}'`
[[ a$AUTH == a ]] && return

#将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
PAUTH=${AUTH%.*}
AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
PAUTH=$(echo $PAUTH | grep .)
while [ a$PAUTH != a ]; do
 PAUTH=${PAUTH%.*}
 AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
 PAUTH=$(echo $PAUTH | grep .)
done

ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`
echo "## You can use one of these following commands to make one user has privilege to run command $CMD :"
for i in $ROLES; do
 echo "## chuser roles=$i USERNAME"
done
}
x $CMD

命令结果示例:
# CMD=bosboot
# x() {
> CMD=`which $1`|| return
> AUTH=`lssecattr -c -a accessauths $CMD | awk -F= '{print $2}'`
> [[ a$AUTH == a ]] && return
>
> #将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
> PAUTH=${AUTH%.*}
> AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
> PAUTH=$(echo $PAUTH | grep .)
> while [ a$PAUTH != a ]; do
>       PAUTH=${PAUTH%.*}
>       AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
>       PAUTH=$(echo $PAUTH | grep .)
> done
>
> ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`
> echo "## You can use one of these following commands to make one user has privilege to run command $CMD :"
> for i in $ROLES; do
>       echo "## chuser roles=$i USERNAME"
> done
> }
# x $CMD
## You can use one of these following commands to make one user has privilege to run command /usr/sbin/bosboot :
## chuser roles=SysBoot USERNAME
## chuser roles=SysConfig USERNAME
#

相关命令：
# lssecattr -c -a accessauths ALL | grep '/cfgmgr '
/usr/sbin/cfgmgr accessauths=aix.device.config
# lsrole -a authorizations ALL
AccountAdmin authorizations=aix.security.group,aix.security.user
BackupRestore authorizations=aix.fs.manage.backup,aix.fs.manage.restore
DomainAdmin authorizations=aix.security.kerberos,aix.security.ldap,aix.security.nis,aix.security.pki
FSAdmin authorizations=aix.fs.manage.change,aix.fs.manage.create,aix.fs.manage.debug,aix.fs.manage.defrag,aix.fs.manage.dump,aix.fs.manage.list,aix.fs.manage.mount,aix.fs.manage.quota,aix.fs.manage.recover,aix.fs.manage.remove,aix.fs.manage.snapshot,aix.fs.manage.unmount,aix.fs.object,aix.lvm
SecPolicy authorizations=aix.security.audit,aix.security.auth,aix.security.cmd,aix.security.config,aix.security.device,aix.security.file,aix.security.kst,aix.security.network,aix.security.proc,aix.security.role,aix.security.passwd,aix.security.su,aix.security.tcb,aix.security.tsd
SysBoot authorizations=aix.system.boot.create,aix.system.boot.halt,aix.system.boot.info,aix.system.boot.reboot,aix.system.boot.shutdown
SysConfig authorizations=aix.system.boot.create,aix.system.config.bindintcpu,aix.system.config.console,aix.system.config.date,aix.system.config.diag,aix.system.config.dlpar,aix.system.config.inittab,aix.system.config.io,aix.system.config.kext,aix.system.config.mode,aix.system.config.perf,aix.system.config.rset,aix.system.config.uname,aix.system.config.write,aix.system.stat,aix.wpar
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
sa authorizations=aix.system.config.acct,aix.system.config.cron,aix.system.config.src,aix.system.install
so authorizations=aix.proc.kill,aix.ras,aix.system.config.init,aix.system.config.wlm
# lsrole -a authorizations ALL | grep aix.device.config
# lsrole -a authorizations ALL | grep aix.device
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
# lsrole -f -a authorizations ALL | grep aix.device,
isso authorizations=aix.device,aix.fs.chroot,aix.fs.manage.export,aix.fs.stat,aix.network,aix.proc.fuser,aix.proc.ipc,aix.proc.status,aix.proc.trace
# chuser roles=isso mawt
# su - mawt
$ cfgmgr
ksh: cfgmgr: cannot execute
$ swrole ALL
mawt's Password:
$ cfgmgr
$ rolelist -e
isso            Information System Security Officer
$
说明：如果设置CMD=lsof，会得到这样的报错：“"/usr/sbin/lsof" does not exist in the privileged command database.”，第4部分专门解决这个问题。
按此方法分配的角色通常还允许用户执行其它的命令，要查看此角色所能执行的所有命令，可以用第2部分的方法；要避免用户可以执行过多命令的问题，同样可以使用第4部分的方法。

4、查看“运行某命令”所需要的角色（命令不在RBAC特权命令数据库中）
CMD=lsof
x() {
CMD=$1
DATE=`date '+%Y-%m-%d'`

#判断命令是否是symbolic link，如果是则获取其对应的真实全路径文件名
readlink()
  {
  CMD=`which $1` || return
  ls -l $CMD | grep -q '^l'
  if [ $? != 0 ]; then
 echo $CMD
 return
  fi
  DIR1=`dirname $CMD`
  CMD1=`ls -l $CMD | awk '{print $NF}'`
  DIR2=`dirname $CMD1`
  CMD2=`basename $CMD1`
  DIR3=`cd $DIR1;cd $DIR2;pwd`
  CMD=${DIR3}"/"${CMD2}
  ls -l $CMD | grep -q '^l' && readlink $CMD
  echo $CMD
  }

CMD=`readlink $CMD`
echo "## The old modes of $CMD is:"
ls -l $CMD
echo "\n## You can use these following commands, if you want to put $CMD into RBAC privileged command database:"
echo chmod g-rwxs,o-rwxs $CMD
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands."`basename $1`

tracepriv $1 1>/dev/null 2>&1
PVS=`tracepriv $1 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'`
echo setsecattr -c innateprivs=$PVS accessauths=mwt.aix.commands.`basename $1` $CMD
echo mkrole authorizations=mwt.aix.commands.`basename $1` dfltmsg=\"CREATED BY MWT, AT $DATE\" cmd_$1
echo setkst
echo "## chuser roles=cmd_$1 USERNAME"
}
x $CMD

命令结果示例:
# CMD=lsof
# x() {
> CMD=$1
> DATE=`date '+%Y-%m-%d'`
>
> #判断命令是否是symbolic link，如果是则获取其对应的真实全路径文件名
> readlink()
>   {
>   CMD=`which $1` || return
>   ls -l $CMD | grep -q '^l'
>   if [ $? != 0 ]; then
>       echo $CMD
>       return
>   fi
>   DIR1=`dirname $CMD`
>   CMD1=`ls -l $CMD | awk '{print $NF}'`
>   DIR2=`dirname $CMD1`
>   CMD2=`basename $CMD1`
>   DIR3=`cd $DIR1;cd $DIR2;pwd`
>   CMD=${DIR3}"/"${CMD2}
>   ls -l $CMD | grep -q '^l' && readlink $CMD
>   echo $CMD
>   }
>
> CMD=`readlink $CMD`
> echo "## The old modes of $CMD is:"
> ls -l $CMD
> echo "\n## You can use these following commands, if you want to put $CMD into RBAC privileged command database:"
> echo chmod g-rwxs,o-rwxs $CMD
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.commands."`basename $1`
>
> tracepriv $1 1>/dev/null 2>&1
> PVS=`tracepriv $1 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'`
> echo setsecattr -c innateprivs=$PVS accessauths=mwt.aix.commands.`basename $1` $CMD
> echo mkrole authorizations=mwt.aix.commands.`basename $1` dfltmsg=\"CREATED BY MWT, AT $DATE\" cmd_$1
> echo setkst
> echo "## chuser roles=cmd_$1 USERNAME"
> }
# x $CMD
## The old modes of /opt/freeware/sbin/lsof is:
-rwxr-sr-x    1 root     system       129630 Feb  3 2006  /opt/freeware/sbin/lsof

## You can use these following commands, if you want to put /opt/freeware/sbin/lsof into RBAC privileged command database:
chmod g-rwxs,o-rwxs /opt/freeware/sbin/lsof
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.commands
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.commands.lsof
setsecattr -c innateprivs=PV_PROC_PRIV,PV_KER_ACCT,PV_NET_CNTL,PV_NET_PORT accessauths=mwt.aix.commands.lsof /opt/freeware/sbin/lsof
mkrole authorizations=mwt.aix.commands.lsof dfltmsg="CREATED BY MWT, AT 2008-12-01" cmd_lsof
setkst
## chuser roles=cmd_lsof USERNAME
#

相关命令：
for i in `lssecattr -c -a ALL`; do (ls -e $i | grep ^-......r.-); done
for i in `lssecattr -c -a ALL`; do (ls -e $i | grep ^-........x); done
rmrole cmd_lsof
rmauth mwt.aix.commands.lsof

# cat /usr/include/sys/priv.h | grep PV_MAC_OVRRD
#define PV_MAC_OVRRD            191     /* Bypass MAC restrictions for files */
# lspriv -v | grep PV_MAC_OVRRD                 
PV_MAC_OVRRD Allows a process to bypass MAC restrictions for files flagged as being exempt from MAC.
#

# tracepriv lsof 2>&1 1>/dev/null | grep PV
  PV_DAC_O                           PV_PROC_PRIV                    
  PV_TCB                             PV_KER_ACCT                     
  PV_NET_CNTL                        PV_NET_PORT                     
# tracepriv lsof 2>&1 1>/dev/null | grep PV
  PV_PROC_PRIV                       PV_KER_ACCT                     
  PV_NET_CNTL                        PV_NET_PORT                     
# tracepriv lsof 2>&1 1>/dev/null | grep PV | xargs |sed 's/ /,/g'
PV_PROC_PRIV,PV_KER_ACCT,PV_NET_CNTL,PV_NET_PORT
#

# ls -l `which lsof`
lrwxrwxrwx    1 root     system           28 Oct 31 14:56 /usr/sbin/lsof -> ../../opt/freeware/sbin/lsof
# ls -l /opt/freeware/sbin/lsof
-rwxr-sr-x    1 root     system       129630 Feb  3 2006  /opt/freeware/sbin/lsof
# chmod o-rx /usr/sbin/lsof
# ls -l /opt/freeware/sbin/lsof
-rwxr-s---    1 root     system       129630 Feb  3 2006  /opt/freeware/sbin/lsof
#
说明：此部分也适用于已位于RBAC特权命令数据库中的命令（如：cfgmgr、bosboot），这样可以避免第3部分出现的分配角色后用户可以执行过多命令的问题。

========================================================================
任何形式的转载，请写明出处：
email:
blog:    http://www.cublog.cn/u/739/
========================================================================