lpacl Information

Purpose

Provides general information about protecting the least-privilege (LP) commands resource class and its resources by using access controls that are provided by the resource monitoring and control (RMC) subsystem.

Description

RMC controls access to all of its resources and resource classes through access control lists (ACLs), using two different ACL implementations. The implementation that RMC uses depends on which class is involved. The two major differences between the implementations are in: 1) the mechanisms with which ACLs are viewed and modified and 2) whether ACLs are associated with individual resources.

RMC implements access controls for its resources and resource classes in the following ways:

Through ACLs that are defined by resource class stanzas in the ctrmc.acls file.
You can view these ACLs by examining the ctrmc.acls file. You can modify these ACLs using the chrmcacl command. Use a stanza to define an ACL that applies to a class or to all of the resources in a class.

RMC uses this method for all of its resources and resource classes, except for the IBM.LPCommands resource class and its resources.
Through ACLs that are associated with resources and a resource class within the RMC subsystem.
You can view and modify these ACLs using LP commands. You can define an ACL that applies to a class or an ACL that applies to an individual resource of a class.

RMC uses this method for the IBM.LPCommands resource class and its resources.

This section provides information about ACLs that are specific to the IBM.LPCommands resource class and its resources.

The LP resource manager uses the IBM.LPCommands resource class to define LP resources. These resources represent commands or scripts that require root authority to run, but typically the users who need to run these commands do not have root authority. By using the LP resource manager commands, users can run commands that require root authority. The LP resource manager commands are:

chlpcmd: Changes the read or write attribute values of an LP resource
lphistory: Lists or clears a certain number of LP commands that were previously issued during the current RMC session.
lslpcmd: Lists information about the LP resources on one or more nodes in a domain.
mklpcmd: Defines a new LP resource to RMC and specifies user permissions.
rmlpcmd: Removes one or more LP resources from the RMC subsystem.
runlpcmd: Runs an LP resource.

For descriptions of these commands, see Least-privilege (LP) resource manager commands in Technical Reference: RSCT for AIX for AIX® and Least-privilege (LP) resource manager commands in Technical Reference: RSCT for Multiplatforms for other operating systems. For information about how to use these commands, see the Administering RSCT guide.

Because each LP resource can define a unique command, RMC implements ACLs for the IBM.LPCommands class that allows access to be controlled at the individual resource level and at the class level. RSCT provides a set of commands that you can use to list and modify the ACLs for the IBM.LPCommands class and its resources. The LP ACL commands are:

chlpclacl: Changes the Class ACL
chlpracl: Changes the Resource ACL
chlpriacl: Changes the Resource Initial ACL
chlprsacl: Changes the Resource Shared ACL
lslpclacl: Lists the Class ACL
lslpracl: Lists the Resource ACL
lslpriacl: Lists the Resource Initial ACL
lslprsacl: Lists the Resource Shared ACL
mklpcmd: Defines a new LP resource to RMC and specifies user permissions

Security

To use the LP commands that change the Class ACL, the Resource Initial ACL, and the Resource Shared ACL, you must have query and administrator permission for the IBM.LPCommands class.
To use the LP command that changes a Resource ACL for an LP resource, you must have query and administrator permission for the LP resource.
To use the LP commands that list the Class ACL, the Resource Initial ACL, and the Resource Shared ACL, you must have query permission for the IBM.LPCommands class.
To use the LP command that lists a Resource ACL for an LP resource, you must have query permission for the LP resource.

The Security section of each LP command description indicates which permissions are required for the command to run properly.

Implementation specifics

This information is part of the Reliable Scalable Cluster Technology (RSCT) fileset.

Location

/opt/rsct/man/lpacl.7

Examples

Some examples of how to modify the LP ACLs follow. In these examples, the commands are run on a management server for a group of nodes in a management domain. The management server is named ms_node and the managed nodes are called mc_node1, mc_node2, and so on. In a management domain, it is most likely that the LP resources are defined on the management server and the LP commands themselves are targeted to the managed nodes. In these examples, the Resource Shared ACL is not used because separate permissions are required for the individual LP resources. These examples assume that the LP resources are not yet defined by using the mklpcmd command.

You want to define the lpadmin ID to be the administrator for the LP commands. This ID has the authority to modify the LP ACLs. You also want to give this ID read and write permission to be able to create, delete, and modify the LP resources. To configure this setting, use the root mapped identity to run these commands on the management server:
```
chlpclacl lpadmin@LOCALHOST rwa
chlpriacl lpadmin@LOCALHOST rwa
```
These commands define the lpadmin ID on the management server as having administrator, read, and write permission for the IBM.LPCommands class and for the Resource Initial ACL. The Resource Initial ACL is used to initialize a Resource ACL when an LP resource is created. Therefore, when an LP resource is created, the lpadmin ID has administrator, read, and write permission to it.
The lpadmin ID can now create LP resources that define the LP commands that are needed. Access to the LP resources can be defined using the mklpcmd command or the chlpracl command. When the resource is created, the Resource Initial ACL is copied to the Resource ACL. To modify the Resource ACL using the chlpracl command so that joe is able to use the runlpcmd command for the resource named SysCmd1, the lpadmin ID runs this command on the management server:
```
chlpracl SysCmd1 joe@LOCALHOST x
```
This command gives joe run permission on the management server to the SysCmd1 resource so he can use the runlpcmd command.
In this example, only the lpadmin ID has permission to create, delete, and modify LP resources. Use the chlpclacl command so that other users can create and delete LP resources. In this case, they need to have write access to the class. To be able to list the resources in the IBM.LPCommands class, read permission is required. Read permission on a Resource ACL allows a user to view that LP resource. Write permission on a Resource ACL allows a user to modify that LP resource. To allow joe to view the LP resource named SysCmd1, the lpadmin ID runs this command on the management server:
```
chlpracl SysCmd1 joe@LOCALHOST r
```

There are several nodes in a peer domain. There is an LP resource called SysCmdB1 on nodeB for which joe needs run permission. In addition, joe needs to have run permission from nodes nodeA, nodeB, and nodeD. If you run the chlpracl command on nodeB, you can use joe@LOCALHOST for nodeB, but you need to determine the node IDs for nodeA and nodeD. To obtain the node IDs, enter:

lsrpnode -i

The following output is displayed:

Name    OpState RSCTVersion NodeNum NodeID
nodeA   Online  3.1.0.0     2       48ce221932ae0062
nodeB   Online  3.1.0.0     1       7283cb8de374d123
nodeC   Online  3.1.0.0     4       b3eda8374bc839de
nodeD   Online  3.1.0.0     5       374bdcbe384ed38a
nodeE   Online  3.1.0.0     2       ba74503cea374110
nodeF   Online  3.1.0.0     1       4859dfbd44023e13
nodeG   Online  3.1.0.0     4       68463748bcc7e773

Then, to give joe the permissions as stated earlier, run on nodeB:

chlpracl SysCmd1 -l joe@LOCALHOST joe@0x48ce221932ae0062 \
joe@0x374bdcbe384ed38a x