Using enhanced RBAC in applications
Many applications do not require any modifications to run successfully in the enhanced RBAC environment. Simply defining the application's access authorizations and associated privileges and then assigning the application to the privileged command database may be sufficient.
However, an application can use enhanced RBAC by calling RBAC interfaces
to control the application's execution at a granular level and thereby result
in a more secure application. Applications that might benefit from integration
with enhanced RBAC include the following:
- Applications that restrict use to either the root user or members of a specific group. These applications typically check for effective user identity or group membership and can be modified to check for an authorization instead.
- Applications that utilize setuid or setgid mode bits to allow unprivileged users to gain privileges during the command invocation. These applications would usually be more secure by using privilege bracketing so that less privilege is used to accomplish their task.