I need to grant read permission to a normal user on sulog file on AIX 6.1.
As root I did acledit sulog and aclget shows "extended permissions" as "enabled" and normal user "splunk" has read permissions. When I try to access sulog as splunk user it won't allow and
aclget
for splunk user shows" extended permissions" as "disabled". Please advise, thanks!!
splunk@TESTAIX61(/var/adm)# uname -a
AIX TESTAIX61 1 6 00CACC954C00
splunk@TESTAIX61(/var/adm)# oslevel -s
6100-09-12-1838
splunk@TESTAIX61(/var/adm)#
root@TESTAIX61(/var/adm)# acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)# aclget sulog
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): ---
others: ---
extended permissions
enabled
permit r-x u:splunk
root@TESTAIX61(/var/adm)# su - splunk
splunk@TESTAIX61(/home/splunk)# tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)# id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)# cd /var/adm
splunk@TESTAIX61(/var/adm)# aclget sulog
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): ---
others: ---
extended permissions
disabled
permit r-x u:splunk
splunk@TESTAIX61(/var/adm)#
Thanks zxmaus for your reply. I think i tried that as well in my first attempt. However I tried it again but no luck. It's almost shocking that there is no working/proved documentation anywhere about AIX ACLs.
Yes, RBAC enabled on our AIX machines. I noticed that once I enable ACLs, aclget shows it enabled and the moment I login as splunk user, then extended permissions immediately get disabled. Please see below wherein I continuously monitored ACL permissions on one putty session and logged in as splunk user on another putty session which immediately disabled ACLs. (I trimmed most of "enabled" part of the screen log).
Surprisingly, If I already logged in as splunk user before running acledit then splunk user is able to read sulog file but not after I logged in as splunk in another putty session.
It looks like one of the user login profiles doing this change? Is it normal in RBAC environment? I pasted .profile and /etc/profile in the end.
Please advise, thanks again for your patience.
root@TESTAIX61(/)# oslevel -s
6100-09-12-1838
root@TESTAIX61(/)#
root@TESTAIX61(/)# lsattr -El sys0 -a enhanced_RBAC
enhanced_RBAC true Enhanced RBAC Mode True
root@TESTAIX61(/)#
root@TESTAIX61(/)# acledit /var/adm/sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/)# while true; do
> date ; sleep 3
> aclget /var/adm/sulog
> done
Mon Nov 4 03:10:15 GMT 2019
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): ---
others: ---
extended permissions
enabled
permit r-- u:splunk,g:splunk
Mon Nov 4 03:10:18 GMT 2019
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): ---
others: ---
extended permissions
enabled
permit r-- u:splunk,g:splunk
Mon Nov 4 03:11:50 GMT 2019
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rw-
group(system): ---
others: ---
extended permissions
disabled
permit r-- u:splunk,g:splunk
Mon Nov 4 03:11:53 GMT 2019
^C
root@TESTAIX61(/)#
splunk@TESTAIX61(/home/splunk)# cat .profile
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.
export PATH
if [ -s "$MAIL" ] # This is at Shell startup. In normal
then echo "$MAILMSG" # operation, the Shell checks
fi # periodically.
splunk@TESTAIX61(/home/splunk)# cat /etc/profile
trap "" 1 2 3
readonly LOGNAME
MAIL=/usr/spool/mail/$LOGNAME
MAILMSG="[YOU HAVE NEW MAIL]"
TERM_DEFAULT=lft
TERM=`termdef`
TERM=${TERM:-$TERM_DEFAULT}
if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ]
then
unset LC_MESSAGES
fi
export LOGNAME MAIL MAILMSG TERM
PS1="$(whoami)@$(hostname|cut -d'.' -f1)(\$PWD)# "
export PS1
trap 1 2 3
set -o vi
export HISTCONTROL=ignorespace
stty erase ^?
splunk@TESTAIX61(/home/splunk)# pwd
/home/splunk
splunk@TESTAIX61(/home/splunk)#
I have not worked with RBAC ever, so all is just guessing, but I think that is your issue here. Can you find out if the root user is actually allowed in RBAC to set ACLs? If he is not, add that permission.
I am wondering as well if it would not be easier to just somehow allow splunk via rbac to read these files?