Before you start using the sesu utility, you should set up some common user substitution rules in the database. These rules prevent unknown users undesirably substituting privileged user accounts, but permit specific users and processes to perform necessary user substitution activities.
To set basic user substitution rules
This prevents all users from substituting root, unless explicitly authorized. All administrators are explicitly authorized to substitute root.
Note: You can authorize individual administrators separately or authorize all administrators using the administrator's group.
This prevents all users from substituting root's group, unless explicitly authorized. All administrators are explicitly authorized to substitute root's group.
Note: On most UNIX systems root's group is either other or sys.
This prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any user, unless explicitly denied.
Note: You need to specifically authorize root to permit programs such as dtlogin to switch session ownership from root, the default X window owner (uid=0), to anyone else. If you do not do this, login attempts will fail because CA ControlMinder is blocking any user substitution activity that has not been explicitly authorized.
This prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any group, unless explicitly denied.
Example: Set Basic User Substitution Rules in selang
Use the following selang commands to set basic user substitution rules in your environment:
nr surrogate USER.root defacc(n) own(nobody) auth surrogate USER.root gid(sys_admin_GID) acc(a) nr surrogate GROUP.other defacc(n) own(nobody) auth surrogate GROUP.other gid(sys_admin_GID) acc(a) cr surrogate USER._default defacc(n) own(nobody) cr surrogate GROUP._default defacc(n) own(nobody) auth surrogate USER._default uid(root) acc(a) auth surrogate GROUP._default uid(root) acc(a) auth surrogate USER._default gid(sys_admin_GID) acc(a) auth surrogate GROUP._default gid(sys_admin_GID) acc(a)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|