Enable "cd" with root privilege on RBAC

[Eric33]

Hi,

I am implementing RBAC and need to create a role with "cd" privileges that is similar to root. The role should be able to cd into any directory, even if it does not have execute rights on the directory.

I have added the following entries:

exec_attr
Additional commands:suser:cmd:::/usr/bin/cd:uid=0
prof_attr
Additional commands:::Additional rights for management:

This only eliminates the "directory1: permission denied". I am still not able to get in.

What other commands must I include?

Thanks.
Eric

 

[Mike042]

Have you tried searching this forum for RBAC? There are a number of threads that could be useful. (I remember posting an worked example several months ago)

I hope that helps.

Mike

 

[Annihilannic]

I would guess this is because cd is usually implemented as a shell builtin (even though there is also a /usr/bin/cd) so RBAC is never queried.

Annihilannic.

 

[SamBones]

Just because you can [tt]cd[/tt] to a directory, doesn't mean you can do anything else there (i.e. [tt]ls[/tt]).

What are you trying to do? You say "I am still not able to get in". What does "get in" mean? If you need to access something in that directory once you're there, you'll have to open up more than just [tt]cd[/tt].

Hope this helps.

 

[Eric33]

Hi Guys,

Thanks for the replies. I was down with fever these few days, so did not manage to read the forum. Hope you guys are still with me. Below are some more info on what I have accomplished thus far.

Additional entries I have added to exec_attr:

Additional Commands:suser:cmd:::/usr/bin/cd:uid=0
Additional Commands:suser:cmd:::/usr/bin/ls:uid=0

Trial output

$ pwd
/tmp
$ ls -ld directory1
drwx------ 2 root root 117 Sep 15 18:01 directory1
$ cd directory1
directory1: permission denied
$ pwd
/tmp
$ /usr/bin/cd directory1
$ pwd
/tmp
$ ls -l directory1
total 0
-rw-r----- 1 root root 0 Sep 15 18:11 file_inside_directory


As you can see, typing the full path, I am no longer "denied permission" to the folder. Yet I am still "bounced" out of the folder. Any suggestions?

Thanks.

 

[Mike042]

As Annihilannic suggested, cd directory1 uses the shell built-in command, whereas /usr/bin/cd directory uses the OS version. It looks you might have found a slight difference between the two. (one person's bug is another person's "feature")

I hope that helps.

Mike

 

[Annihilannic]

I have never understood why /usr/bin/cd exists or what purpose it serves. The shell forks, execs /usr/bin/cd, changes the current working directory for that process... then the process exits and the parent shell's CWD is still what it used to be.

If someone knows what use that is I'd be glad to hear it!

Annihilannic.

 

[SamBones]

Yeah, I never understood why /usr/bin/cd exists either. If you look at it, it is a shell script...

#!/bin/ksh
#
#ident  "@(#)alias.sh   1.1     95/02/06 SMI"
#
# Copyright (c) 1995 by Sun Microsystems, Inc.
#
cmd=`basename $0`
$cmd "$@"

With the shebang on the first line and the way it's written, you can't even source it to run it.

 

[Annihilannic]

Hmm... interesting. It seems to be one of a bunch of hard links that match shell builtins. Looks like some kind of backward compatibility or portability fudge to me? So that if someone specifies /usr/bin/blah it makes sure that the shell built-in blah is run instead. However in many of the cases they just don't work in a subshell (cd, jobs, fg, ...). Curious.

[tt]$ pwd
/usr/bin
$ ls -li cd
43687 -r-xr-xr-x 17 root bin 134 Apr 6 2002 cd
$ find . -inum 43687
./alias
./wait
./unalias
./umask
./ulimit
./type
./test
./fg
./read
./kill
./jobs
./hash
./getopts
./fc
./command
./cd
./bg
$ [/tt]

Annihilannic.

 

[Eric33]

From Annihilannic's explanation, adding /usr/bin/cd to RBAC is useless.

I like to be able to "cd" into any directory (including those inaccessible if based on basic ACL), so that I can do a "ls" of the local contents without having to type the full path of the directory. (I have no problem with full path) ie.

$ pwd
/tmp
$ ls -ld directory1
drwx------ 2 root root 117 Sep 15 18:01 directory1
$ cd directory1
$ pwd
/tmp/directory1
$ /usr/bin/ls -l
-rw-r----- 1 root root 0 Sep 15 18:11 file_inside_directory

It is much more convenient to do "ls" for a file this way when you forget its exact location. Any suggestions?

Eric

 

[Mike042]

You stated

I have added the following entries:

exec_attr
Additional commands:suser:cmd:::/usr/bin/cd:uid=0
prof_attr
Additional commands:::Additional rights for management:

Have you also edited /etc/user_attr to add the rolename with profiles=Additional commands,All and a username that has roles=<rolename> (and is in /etc/passwd) ?

There are 4 RBAC database files that need to be checked/changed when creating an RBAC user.

I hope that helps.

Mike

 

[Eric33]

Hi Mike,

Yes.

My RBAC is working properly and I am able to run various commands with root privilege. ie "/usr/bin/ls"

The issue now is I do not know which is the binary/shell script I should execute with UID=0 if I want to be able to perform "cd" with root privilege since /usr/bin/cd is not usable at all.

Thanks.
Eric