Try to block an unauthorized user's access even if he su.

[halt]

/home/db2inst1 is the object I wanna protect.

And there are three different user:
1.db2inst1 - owner of /home/db2inst1.
2.user01 - authorized to access /home/db2inst1.
3.user02 - not authorized to access /home/db2inst1.

At DCL or ACL level,I know how to prevent user02 from accessing /home/db2inst1,
But as long as user02 succesfully su to db2inst1,I'll lose the access control on him.

Is there a way I can block an unauthorized user from a directory even if he su to the owner of the dir?

My AIX oslevel:
7100-01-06-1241

[Michael]

Using RBAC domains - should - resolve this, because domains are assigned when you login and su (and su -) are not (intended) to change this. Just as after su your RUID (real user id) follows you, so do your RBAC domains.

Unfortunately, RBAC domains do not seem to be working on directories atm. I am researching this myself, but I expect this will require a fix (hopefully) or a change (may take longer).

My suggestion is that you open a PMR with IBM and report that it is not working as intended. If IBM responds working as design then you would need to submit a request for change. Your local IBM support should be able to assist you with both processes, should you need/want any assistance.

[Michael]

Another approach would be to use the attribute sugroups for db2inst1. By keeping user2 out of any group permitted to su to db2inst1 you would prevent user2 from ever being able to su to db2inst1.

[halt]

My test result of domain RBAC:
As along as the user su to the account which has the domain RBAC permission to the file,
the access to the file is allowed.

Here are my settings:
1./home/db2inst2/file01.txt - the file I wanna protect,permissions are:
-rw-------    1 db2inst2 db2grp2          31 Aug 29 11:51 file01.txt
2.db2inst2 - the owner of file01.txt.
3.db2grp2 - the pgrp of db2inst2.
4.db2dom2 - the domain of file01.txt.
3.user01 - the user which is not allowed to access file01.txt.

Part A - Owner vs.Domain.

1.As db2inst2,I can access file01.txt:
$ pwd
/home/db2inst2
$ ls -l
total 8
-rw-r-----    1 db2inst2 db2grp2          31 Aug 29 11:51 file01.txt
$ cat file01.txt
This is the content.

2.Then I login as root to config the domain setting:
$ setsecattr -o domains=db2dom2 objtype=file /home/db2inst2/file01.txt
$ setkst

3.Relogin as db2inst2,even the owner(db2inst2) of file01.txt can't access file01.txt:
$ cat file01.txt
cat: 0652-050 Cannot open file01.txt.

4.Loging as root,give db2dom2 to db2inst2:
$ chuser domains=db2dom2 db2inst2

5.Relogin as db2inst2,now db2inst2 can access to file01.txt with domain authorization.
$ cat file01.txt
This is the content.

=> The result of Part A is expected,I have no question about it.

[halt]

Part B - Non-owner vs. Domain

1.Now I login as user01 which can't access file01.txt through ACL or domain:
$ whoami
user01
$ cd /home/db2inst2
$ ls -l
total 8
-rw-r-----    1 db2inst2 db2grp2          31 Aug 29 11:51 file01.txt
$ cat file01.txt
cat: 0652-050 Cannot open file01.txt.

2.But once I su from user01 to db2inst2,
I can access file01.txt because db2inst2 has the domain power:
$ whoami
user01
$ su - db2inst2
db2inst2's Password:
$ whoami
db2inst2
$ pwd
/home/db2inst2
$ ls -l
total 8
-rw-r-----    1 db2inst2 db2grp2          31 Aug 29 11:51 file01.txt
$ cat file01.txt
This is the content.

=> Seems that I can't block user01 from file01.txt after it su to db2inst2.Would my exam be correct?

[Michael]

Yes, your workout seems correct - although I would also try su (without the -). I expect the domain remains in effect as su - is meant to perform the entire login procedure, but not change the RUID for accounting - whereas su (without the minus) does not go through the login process.

So, the basic question - is it your intent to keep user0X from being able to su - in any form - to db2inst1?

If yes, the following will prevent all users from su to db2inst1 unless they are in the group db2suok

Code: [Select]

# mkgroup db2suok
# chuser sugroups=db2suok
To permit a user (e.g., michael, u203 and u204) to su to db2inst1 use chgrpmem:

Code: [Select]

michael@x054:[/home/michael]chgrpmem
Usage: chgrpmem [-R load_module] [ { -a | -m } { + | - | = } user1,user2 ... ] group

Code: [Select]

# grep db2suok /etc/group
db2suok:!:202:rbooks
# chgrpmem -R files -m + michael,u204,u203 db2suok
# grep db2suok /etc/group                         
db2suok:!:202:rbooks,michael,u204,u203
And to remove them again use:

Code: [Select]

# chgrpmem -R files -m - michael,u204,u203 db2suok
# grep db2suok /etc/group                         
db2suok:!:202:rbooks