Unable to set ACLs on sulog - need to grant read permission to a normal user on AIX 6.1

UNIX AIX
1

Hi,

I need to grant read permission to a normal user on sulog file on AIX 6.1.

As root I did acledit sulog and aclget shows "extended permissions" as "enabled" and normal user "splunk" has read permissions. When I try to access sulog as splunk user it won't allow and

aclget

for splunk user shows" extended permissions" as "disabled". Please advise, thanks!!

splunk@TESTAIX61(/var/adm)#  uname -a
AIX TESTAIX61 1 6 00CACC954C00
splunk@TESTAIX61(/var/adm)#  oslevel -s
6100-09-12-1838
splunk@TESTAIX61(/var/adm)#
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#   aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r-x     u:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)#  id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)#  cd /var/adm
splunk@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r-x     u:splunk
splunk@TESTAIX61(/var/adm)#
2

Perhaps /var not mounted "ACL compliant"? I tried to remount /var with "acl" option, it throws "Invalid mount option"..

3

have you tried to give splunk just read and not execute permissions ?

4

Thanks zxmaus for your reply. I think i tried that as well in my first attempt. However I tried it again but no luck. It's almost shocking that there is no working/proved documentation anywhere about AIX ACLs.

root@TESTAIX61(/var/adm)#  EDITOR=/usr/bin/vi; export EDITOR
root@TESTAIX61(/var/adm)#  acledit sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/var/adm)#  id splunk
uid=228(splunk) gid=206(splunk) groups=1(staff)
root@TESTAIX61(/var/adm)#  aclget sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk
    permit   r--     g:splunk
root@TESTAIX61(/var/adm)#  su - splunk
splunk@TESTAIX61(/home/splunk)#  pwd
/home/splunk
splunk@TESTAIX61(/home/splunk)# id
uid=228(splunk) gid=206(splunk) groups=1(staff)
splunk@TESTAIX61(/home/splunk)# tail /var/adm/sulog
/var/adm/sulog: Permission denied
splunk@TESTAIX61(/home/splunk)# aclget /var/adm/sulog
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r--     u:splunk
    permit   r--     g:splunk
splunk@TESTAIX61(/home/splunk)#
5

do you have rbac enabled ?
try to put user and group into the same line

permit    r--  u:splunk, g:splunk
2 Likes
6

Thanks again zxmaus. :slight_smile: still no luck.

Yes, RBAC enabled on our AIX machines. I noticed that once I enable ACLs, aclget shows it enabled and the moment I login as splunk user, then extended permissions immediately get disabled. Please see below wherein I continuously monitored ACL permissions on one putty session and logged in as splunk user on another putty session which immediately disabled ACLs. (I trimmed most of "enabled" part of the screen log).

Surprisingly, If I already logged in as splunk user before running acledit then splunk user is able to read sulog file but not after I logged in as splunk in another putty session.

It looks like one of the user login profiles doing this change? Is it normal in RBAC environment? I pasted .profile and /etc/profile in the end.

Please advise, thanks again for your patience.

root@TESTAIX61(/)#  oslevel -s
6100-09-12-1838
root@TESTAIX61(/)#
root@TESTAIX61(/)#  lsattr -El sys0 -a enhanced_RBAC
enhanced_RBAC true Enhanced RBAC Mode True
root@TESTAIX61(/)#
root@TESTAIX61(/)#  acledit /var/adm/sulog
Should the modified ACL be applied? (yes) or (no) yes
root@TESTAIX61(/)#  while true; do
> date ; sleep 3
> aclget /var/adm/sulog
> done
Mon Nov  4 03:10:15 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:10:18 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    enabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:11:50 GMT 2019
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(root):  rw-
    group(system):  ---
    others:  ---
extended permissions
    disabled
    permit   r--     u:splunk,g:splunk
Mon Nov  4 03:11:53 GMT 2019
^C
root@TESTAIX61(/)#

splunk@TESTAIX61(/home/splunk)#  cat .profile


PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.

export PATH

if [ -s "$MAIL" ]           # This is at Shell startup.  In normal
then echo "$MAILMSG"        # operation, the Shell checks
fi                          # periodically.
splunk@TESTAIX61(/home/splunk)#  cat /etc/profile

trap "" 1 2 3
readonly LOGNAME

MAIL=/usr/spool/mail/$LOGNAME
MAILMSG="[YOU HAVE NEW MAIL]"

TERM_DEFAULT=lft
TERM=`termdef`
TERM=${TERM:-$TERM_DEFAULT}

if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ]
then
        unset LC_MESSAGES
fi

export LOGNAME MAIL MAILMSG TERM

PS1="$(whoami)@$(hostname|cut -d'.' -f1)(\$PWD)# "
export PS1

trap 1 2 3
set -o vi
export HISTCONTROL=ignorespace
stty erase ^?
splunk@TESTAIX61(/home/splunk)#  pwd
/home/splunk
splunk@TESTAIX61(/home/splunk)#
7

I have not worked with RBAC ever, so all is just guessing, but I think that is your issue here. Can you find out if the root user is actually allowed in RBAC to set ACLs? If he is not, add that permission.
I am wondering as well if it would not be easier to just somehow allow splunk via rbac to read these files?

1 Like