A fix is available
APAR status
Closed as program error.
Error description
An RBAC enabled command may fail while running as an authorized user under the following condition: - subject command is resolved as symbolic link (ex. /etc/pshare is symlink to /usr/sbin/penable) and target program is hardlink with other program, ex. /usr/sbin/penable is hardlinked with /usr/sbin/pshare - in /etc/security/privcmds table, /usr/sbin/pshare and /usr/sbin/penable specified with different RBAC attributes (i.e. both entries have different accessauths, etc.) - The PATH env. variable has /etc before /usr/sbin - When an authorized user having role to execute the /usr/sbin/pshare, runs "pshare" cmd, it may fail. The accessx() is resolving to incorrect object in above example because vnode is passed for RBAC verification and hardlink objects have same vnode. The "type pshare" returns /etc/pshare instead of /usr/sbin/pshare.
Local fix
Problem summary
An RBAC enabled command may fail while running as an authorized user under the following condition: - subject command is resolved as symbolic link (ex. /etc/pshare is symlink to /usr/sbin/penable) and target program is hardlink with other program, ex. /usr/sbin/penable is hardlinked with /usr/sbin/pshare - in /etc/security/privcmds table, /usr/sbin/pshare and /usr/sbin/penable specified with different RBAC attributes (i.e. both entries have different accessauths, etc.) - The PATH env. variable has /etc before /usr/sbin - When an authorized user having role to execute the /usr/sbin/pshare, runs "pshare" cmd, it may fail. The accessx() is resolving to incorrect object in above example because vnode is passed for RBAC verification and hardlink objects have same vnode. The "type pshare" returns /etc/pshare instead of /usr/sbin/pshare.
Problem conclusion
Do not pass vnode from accessx() for RBAC verification and resolve proper object as part of RBAC table lookup process.
Temporary fix
Comments
6100-09 - use AIX APAR IV55576 6100-09 - use AIX APAR IV55576 6100-09 - use AIX APAR IV55576 7100-03 - use AIX APAR IV55629 7100-04 - use AIX APAR IV55683
APAR Information
APAR number
IV55629
Reported component name
AIX V7.1
Reported component ID
5765H4000
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Submitted date
2014-02-18
Closed date
2014-02-18
Last modified date
2016-05-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
AIX V7.1
Fixed component ID
5765H4000
Applicable component levels
R710 PSY U858978
UP14/05/22 I 1000
PTF to Fileset Mapping
U858978 bos.mp64 7.1.3.15
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSMV87","label":"AIX 6.1 Enterprise Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSMVAX","label":"AIX Express Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG11R","label":"AIX 7.1 HIPERS, APARs and Fixes"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
10 May 2016