IBM Support

IV55576: A SYMLINKED CMD WITH TARGET AS HARDLINK MAY FAIL FOR RBAC USER APPLIES TO AIX 6100-09

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • An RBAC enabled command may fail while running as an authorized
    user under the following condition:  - subject command is
    resolved as symbolic link (ex. /etc/pshare is symlink to
    /usr/sbin/penable) and target program is hardlink with other
    program, ex. /usr/sbin/penable is hardlinked with
    /usr/sbin/pshare - in /etc/security/privcmds table,
    /usr/sbin/pshare and /usr/sbin/penable specified with different
    RBAC attributes (i.e. both entries have different accessauths,
    etc.) - The PATH env. variable has /etc before /usr/sbin - When
    an authorized user having role to execute the /usr/sbin/pshare,
    runs "pshare" cmd, it may fail.  The accessx() is resolving to
    incorrect object in above example because vnode is passed for
    RBAC verification and hardlink objects have same vnode. The
    "type pshare" returns /etc/pshare instead of /usr/sbin/pshare.
    

Local fix

Problem summary

  • An RBAC enabled command may fail while running as an authorized
    user under the following condition:  - subject command is
    resolved as symbolic link (ex. /etc/pshare is symlink to
    /usr/sbin/penable) and target program is hardlink with other
    program, ex. /usr/sbin/penable is hardlinked with
    /usr/sbin/pshare - in /etc/security/privcmds table,
    /usr/sbin/pshare and /usr/sbin/penable specified with different
    RBAC attributes (i.e. both entries have different accessauths,
    etc.) - The PATH env. variable has /etc before /usr/sbin - When
    an authorized user having role to execute the /usr/sbin/pshare,
    runs "pshare" cmd, it may fail.  The accessx() is resolving to
    incorrect object in above example because vnode is passed for
    RBAC verification and hardlink objects have same vnode. The
    "type pshare" returns /etc/pshare instead of /usr/sbin/pshare.
    

Problem conclusion

  • Do not pass vnode from accessx() for RBAC verification and
    resolve proper object as part of RBAC table lookup process.
    

Temporary fix

Comments

  • 6100-09 - use AIX APAR IV55576
    6100-09 - use AIX APAR IV55576
    6100-09 - use AIX APAR IV55576
    7100-03 - use AIX APAR IV55629
    7100-04 - use AIX APAR IV55683
    

APAR Information

  • APAR number

    IV55576

  • Reported component name

    AIX 610 STD EDI

  • Reported component ID

    5765G6200

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2014-02-17

  • Closed date

    2014-02-17

  • Last modified date

    2016-05-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV55629 IV55683

Fix information

  • Fixed component name

    AIX 610 STD EDI

  • Fixed component ID

    5765G6200

Applicable component levels

  • R610 PSY U859304

       UP14/05/21 I 1000

PTF to Fileset Mapping



Document information

More support for: AIX Standard Edition

Software version: 610

Operating system(s): AIX

Reference #: IV55576

Modified date: 10 May 2016