Authorization checking

Edit online

Applications that currently use the user ID or group ID of the invoking user to determine the ability to perform privileged operations should be modified to check for an authorization instead.

For example, consider an application which performs filesystem configuration tasks and currently allows the root user (UID = 0) to perform some privileged operations:

if (getuid() == 0) { 		
			/* allow privileged operation to continue */ 
}

To enable this application to instead allow users with a specific authorization (aix.fs.config) to perform the privileged operation, the code can be modified to use the checkauths API to perform the authorization check:

if (checkauths(“aix.fs.config", CHECK_ALL)) {
		/* allow privileged operation to continue */
	}

The checkauths API is enabled for both the legacy and enhanced RBAC modes and will return a 0 success code if the invoking process has the specified authorization. The checkauths API also determines if the root user powers are enabled or disabled and then allows or disallows the root user to bypass authorization checks as appropriate. Prior to AIX® Version 6.1, the MatchAllAuths, MatchAnyAuths, MatchAllAuthsList, and MatchAnyAuthsList APIs were normally used to perform authorization checks. Applications provided on AIX Version 6.1 and later should use the checkauths API instead due to its support for legacy and enhanced RBAC modes and root disablement.

As in the example above, applications that call getuid, getgid, or a similar function to only allow certain users to perform specific tasks can be modified to use the checkauths API to perform an authorization check instead. If the user ID or group ID being checked is not that of the root user, the sys_parm system call can be used first to query whether enhanced RBAC is enabled or not. If enhanced RBAC is not enabled, the code can perform the checks that are already in place. Otherwise, if enhanced RBAC is enabled, the code can check for the relevant system or user-defined authorizations.