Date: 14-04-21  Time: 11:33 AM

Recent Posts

Pages: [1] 2 3 ... 10
1
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by bhm on February 22, 2021, 09:43:55 AM »
Hi !

Mmm... For AIX 7.1 and 6.1, it is efforts and time.

For AIX 5.3, it can transform in penalties not to be compliant regarding security breaches like this last one.
Even if those OS versions are hundred years old...

You should start by adding "Donation" box on the homepage, so anybody can participate :-)

Bye.

2
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by Michael on February 22, 2021, 09:26:50 AM »
I suppose I should consider asking $$ or euros - does this save you $$ time or effort?
3
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by bhm on February 22, 2021, 09:16:03 AM »
Hello Micheal,

And it is a success !!! Few reconfiguration to match my config files, that's normal... It is perfect !!!

I've tested it on AIX 5.3 TL12 and 7.1 TL05

Again, thank you for all your work on your Tools, you releive our AIX Admin brains, and your huge reactivity on that case :-)


Bye !
4
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by Michael on February 20, 2021, 12:32:25 PM »
If all is working well: http://download.aixtools.net/tools/aixtools.sudo-ldap.1.9.5.1602.I should work on your AIX 5.3 systems
5
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by Michael on February 19, 2021, 06:30:47 PM »
OK. Now I know what to build. Much easier to plan!

btw: the CVE mentioned was already patched in the 1.8.31 version. The CVE was valid for 1.8.28 and earlier - if I read that correctly.
6
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by bhm on February 19, 2021, 04:49:16 PM »
Hi Michael !

Enjoy you family time !!

All AIX 6.1 and 7.1 are patched with RPM version now on my side.

Only AIX 5.3 TL12 SP9 remaining. I used "aixtools.sudo-ldap.1.8.31.1.I" version on them last year and it worked perfectly.
I was looking for the same but with SUDO 1.9.5p2

Thanks
7
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by Michael on February 19, 2021, 04:41:15 PM »
sudo-ldap will do either IBM ldap - if that software is installed, or openldap - if that is installed.

sudo or sudo-ldap - if integrated with RBAC - is only suitable for AIX 6.1 and later.

Are you interested in my packaging of sudo for AIX 6.1/7.1 - as you have already updated?

I'll get several versions re-made next week. Off to see my grandson! Priorities!

Michael

p.s. - AIX 5.3 - TL12 I hope - if not, let me know - I'll reinstall my TL7 image).
8
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by bhm on February 19, 2021, 10:36:52 AM »
Hi Michael,

Ok , that's also a great solution.

When I'm checking build options, I see "--without-ldap", which cause SUDO to use IBM libs.. and seems to block me. Am I right ?
Your previous SUDO-LDAP was using openldap libs and built with "--with-ldap" option.

For now, I managed to patch AIX 6.1 and 7.x with RPM without too much difficulties and openldap libs. But AIX 5.3 make some resistance with RPMs... :-)

Thanks again.

9
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by Michael on February 18, 2021, 05:36:41 PM »
OK. Sudo-ldap was 1.8.31 still. For the sudo-rbac, I'll need to build a new one.

The key elements: sudo is not SUID (root), it is 'just an application' - that I setup to be owned by 'sudo' - and it runs, under the covers, as SUID (sudo) so that it can read and edit the sudo-config files.

From my presentation - in 2017 - I have this as the basic setup after installation:


mkauth sudo
setkst
mkrole authorizations='sudo' dfltmsg='sudoers role' sudoers
setkst


setsecattr -c accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R inheritprivs=PV_ROOT secflags=FSF_EPS /opt/bin/sudo
setkst

chmod og-rwx /opt/bin/sudo

mkuser roles=sudoers michael
pwdadm michael
Changing password for "michael"
michael's New password:
Setting "michael's" password to NULL.


As root: add michael as a sudoer

vi /var/sudo-rbac/etc/sudoers
# add michael as test user
michael ALL=(ALL) ALL


And working with sudo - as michael:


ls -l /opt/bin/sudo
-rws------    1 bin      bin          431763 Sep 25 20:42 /opt/bin/sudo

sudo ls /etc/security
ksh: sudo: 0403-006 Execute permission denied.

michael@x065:[/home/michael]swrole sudoers
michael's Password:

michael@x065:[/home/michael]sudo ls /etc/security

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
acl              domains          ice              mkuser.default   privcmds         pwdhist.dir      smitacl.user     user.roles
aixpert          domobjs          lastlog          mkuser.sys       privcmds.backup  pwdhist.pag      sysck.cfg
audit            environ          ldap             passwd           privdevs         roles            tsd
authorizations   fpm              limits           portlog          privfiles        services         tss
certificates     group            login.cfg        priv             pwdalg.cfg       smitacl.group    user

michael@x065:[/home/michael]ls /etc/security
ls: /etc/security: The file access permissions do not allow the specified action.


* So, the key difference is that sudo is not SUID root - and only users with a active role can execute sudo.
* that is, if you do not have the role to access sudo - you cannot even probe if the setup is weak.
* without RBAC as a security mechanism - everyone can execute sudo - and it is up to the sudo configuration to stop - after the fact - unauthorized users.
* the rest of the configuration is the same
10
AIXTOOLS / Re: New version based on SUDO 1.9.5p2 ?
« Last post by bhm on February 18, 2021, 04:02:00 PM »
Yeah !!! Great !

Can you please give an example for RBAC authtification for users ?

sudo-ldap was very easy with no extra config.


Thanks again

Pages: [1] 2 3 ... 10