Chinaunix首页 | 论坛 | 博客
  • 博客访问: 542989
  • 博文数量: 32
  • 博客积分: 5359
  • 博客等级: 大校
  • 技术积分: 1535
  • 用 户 组: 普通用户
  • 注册时间: 2005-01-04 20:39
文章分类

全部博文(32)

文章存档

2011年(1)

2010年(1)

2009年(6)

2008年(24)

我的朋友

分类:

2008-12-01 19:36:42

    终于在下班前完成了AIX 6 RBAC学习记录三,现在可以赶紧回家了。

5、查看“读、写某文件”所需要的角色(文件在RBAC特权文件数据库中)
FILE=/var/adm/sulog
x() {
#根据authorization,确定role
get_role()
  {
  #将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
  AUTH=$1
  STRING=$2
  PAUTH=${AUTH%.*}
  AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
  PAUTH=$(echo $PAUTH | grep .)
  while [ a$PAUTH != a ]; do
 PAUTH=${PAUTH%.*}
 AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
 PAUTH=$(echo $PAUTH | grep .)
  done

  ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`

  for i in $ROLES; do
 lsrole -a authorizations $ROLES |awk -F= '{gsub( ",", ",\n", $2 );print $2}' |\
 awk -v AUTH=$AUTH -F, '$0 ~ AUTH {print $1}'
 echo "## You can use this following command, if you want to USERNAME can $STRING :\n## chuser roles=$i USERNAME"
  done
  }

FILE=$1
echo "## The file $FILE has these following authorizations:"
lssecattr -f $FILE || return

RAUTH=`lssecattr -f -a readauths $FILE| awk -F= '{print $2}'`
WAUTH=`lssecattr -f -a writeauths $FILE| awk -F= '{print $2}'`

[[ a$RAUTH != a ]] && echo "\n## The real readauth(s):" ; get_role $RAUTH "read file "$FILE
[[ a$WAUTH != a ]] && echo "\n## The real wirteauth(s):" ; get_role $WAUTH "read&write file "$FILE
}
x $FILE

命令结果示例:
# FILE=/etc/security/audit/config
# x() {
> #根据authorization,确定role
> get_role()
>   {
>   #将AUTH=aix.system.boot.create变成AUTH=aix.system.boot.create|aix.system.boot,|aix.system.boot$|aix.system,|aix.system$
>   AUTH=$1
>   STRING=$2
>   PAUTH=${AUTH%.*}
>   AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
>   PAUTH=$(echo $PAUTH | grep .)
>   while [ a$PAUTH != a ]; do
>       PAUTH=${PAUTH%.*}
>       AUTH="${AUTH}|${PAUTH},|${PAUTH}$"
>       PAUTH=$(echo $PAUTH | grep .)
>   done
>
>   ROLES=`lsrole -a authorizations ALL | egrep "$AUTH"|awk '{print $1}'`
>
>   for i in $ROLES; do
>       lsrole -a authorizations $ROLES |awk -F= '{gsub( ",", ",\n", $2 );print $2}' |\
>       awk -v AUTH=$AUTH -F, '$0 ~ AUTH {print $1}'
>       echo "## You can use this following command, if you want to USERNAME can $STRING :\n## chuser roles=$i USERNAME"
>   done
>   }
>
> FILE=$1
> echo "## The file $FILE has these following authorizations:"
> lssecattr -f $FILE || return
>
> RAUTH=`lssecattr -f -a readauths $FILE| awk -F= '{print $2}'`
> WAUTH=`lssecattr -f -a writeauths $FILE| awk -F= '{print $2}'`
>
> [[ a$RAUTH != a ]] && echo "\n## The real readauth(s):" ; get_role $RAUTH "read file "$FILE
> [[ a$WAUTH != a ]] && echo "\n## The real wirteauth(s):" ; get_role $WAUTH "read&write file "$FILE
> }
# x $FILE
## The file /etc/security/audit/config has these following authorizations:
/etc/security/audit/config readauths=aix.security.audit.list writeauths=aix.security.audit.config

## The real readauth(s):
aix.security.audit
## You can use this following command, if you want to USERNAME can read file /etc/security/audit/config :
## chuser roles=SecPolicy USERNAME

## The real wirteauth(s):
aix.security.audit
## You can use this following command, if you want to USERNAME can read&write file /etc/security/audit/config :
## chuser roles=SecPolicy USERNAME
#


相关命令:
lssecattr -f -a readauths ALL
lssecattr -f -a writeauths ALL
# lssecattr -f ALL | grep readauths | grep writeauths
/etc/security/audit/bincmds readauths=aix.security.audit.list writeauths=aix.security.audit.config
/etc/security/audit/config readauths=aix.security.audit.list writeauths=aix.security.audit.config
/etc/security/audit/events readauths=aix.security.audit.list writeauths=aix.security.audit.config
/etc/security/audit/objects readauths=aix.security.audit.list writeauths=aix.security.audit.config
/etc/security/audit/streamcmds readauths=aix.security.audit.list writeauths=aix.security.audit.config
#
说明:如果设置FILE=/etc/passwd,会得到这样的报错:“"/etc/passwd" does not exist in the privileged file database.”,第6部分专门解决这个问题。

6、查看“写某文件”所需要的角色(文件不在RBAC特权文件数据库中)
FILE=/etc/passwd
x() {
FILE=$(dirname $1 |sed $1)
DATE=`date '+%Y-%m-%d'`

echo "## You can use these following commands, if you want to put $FILE into RBAC privileged file database:"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.files"
echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.files."$FILE

echo setsecattr -f writeauths=mwt.aix.files.$FILE $1
echo mkrole authorizations=mwt.aix.files.$FILE dfltmsg=\"CREATED BY MWT, AT $DATE\" file_$FILE
echo setkst
echo "## chuser roles=file_$FILE USERNAME"
echo "## Using pvi command you can modify the file $1"
}
x $FILE

命令结果示例:
# FILE=/etc/security/passwd
# x() {
> FILE=$(dirname $1 |sed $1)
> DATE=`date '+%Y-%m-%d'`
>
> echo "## You can use these following commands, if you want to put $FILE into RBAC privileged file database:"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.files"
> echo "mkauth dfltmsg=\"CREATED BY MWT, AT $DATE\" mwt.aix.files."$FILE
>
> echo setsecattr -f writeauths=mwt.aix.files.$FILE $1
> echo mkrole authorizations=mwt.aix.files.$FILE dfltmsg=\"CREATED BY MWT, AT $DATE\" file_$FILE
> echo setkst
> echo "## chuser roles=file_$FILE USERNAME"
> echo "## Using pvi command you can modify the file $1"
> }
# x $FILE
## You can use these following commands, if you want to put e_s_passwd into RBAC privileged file database:
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.files
mkauth dfltmsg="CREATED BY MWT, AT 2008-12-01" mwt.aix.files.e_s_passwd
setsecattr -f writeauths=mwt.aix.files.e_s_passwd /etc/security/passwd
mkrole authorizations=mwt.aix.files.e_s_passwd dfltmsg="CREATED BY MWT, AT 2008-12-01" file_e_s_passwd
setkst
## chuser roles=file_e_s_passwd USERNAME
## Using pvi command you can modify the file /etc/security/passwd
#

相关命令:
pvi /etc/passwd
tvi /etc/passwd
vi /etc/passwd
说明:本部分只关注了能写(修改)不在RBAC特权文件数据库中的某文件时所需要的角色,因为感觉实际工作用不到“只读”的情况,毕竟能写就一定能读。


========================================================================
任何形式的转载,请写明出处:
email:
blog:    http://www.cublog.cn/u/739/
========================================================================

阅读(1622) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~