AIX V3 security configuration question

AIX V3 security configuration question

Post by Dave Clo » Sun, 26 May 1991 07:14:00

InfoExplorer (the -03 CDROM) on AIX V3.1.5 has several references to the
need for a user to have some kind of permission in order to use a specific
command.  For example, the xmanage command states that the user must have
"NET_CONFIG permission" in order to start monitoring the X.25 line.  The
xmonitor command requires both "NET_CONFIG permission" and "RAS_CONFIG
permission" for any use at all.  I have asked Info to find all references
to NET_CONFIG but the only ones found are in articles like xmanage which
state that the permission is required.  Info did not find any references
to what NET_CONFIG permission *is* or how to acquire it.

My interest is not specifically directed toward management of an X.25 port
but to the general question of how to delegate authority without giving the
root password to every user.  Of course, I can simply make xmanage, xmonitor,
et al, suid root, but I would prefer to specifically select which users are
allowed to use these commands.  Access control lists are another possible
solution, but they require that I know in advance all the commands to which
I should apply a list.  Since Info seems to believe that IBM has considered
this topic and designated certain commands as requiring certain permissions,
I would like to take advantage of that.

It may be only my previous association with VMS but these "permissions"
remind me of DEC's privileges.  If so, there should be somewhere I could
simply declare which permissions should apply to which users.  Does anyone
know where permissions are described in the manuals or Info?  Has anyone
found a way to use them?

Generally, I think a Unix-like system should be operable essentially without
ever becoming the root user.  That is, I should be able to assign subsets
of root privilege to various users, including the entire root privilege to
a single user.  So long as I am careful to assign every privilege to at least
one user, it should work.  Unfortunately, I don't know of any systems which
actually allow that.  Do you?  IMHO, the all-or-nothing approach of root is a
*severe* limitation on the acceptability of Unix in a commercial environment.

        Dave Close         Shared Financial Systems          Dallas

                uunet!shared!davec       fax +1 214 458 3876
        My comments are my opinions and may not be shared by Shared.