Set Basic User Substitution Rules

Before you start using the sesu utility, set up some common user substitution rules in the database. These rules prevent unknown users substituting privileged user accounts. However, these rules do permit specific users and processes to perform necessary user substitution activities.
cminder140
Before you start using the sesu utility, set up some common user substitution rules in the database. These rules prevent unknown users substituting privileged user accounts. However, these rules do permit specific users and processes to perform necessary user substitution activities.
To set basic user substitution rules
  1. Create a surrogate resource for the root user (USER.root) with the following attributes:
    • nobody
      as owner
    • Default access
      none
    • All administrators have full control
    This surrogate resource prevents all users from substituting root, unless explicitly authorized. All administrators are explicitly authorized to substitute root.
    You can authorize individual administrators separately or can authorize all administrators using the administrator's group.
  2. Create a surrogate resource for the group of root (GROUP.other) with the following attributes:
    • nobody
      as owner
    • default access of
      none
    • All administrators have full control
    This surrogate resource prevents all users from substituting the group of root, unless explicitly authorized. All administrators are explicitly authorized to substitute the group of root.
    On most UNIX systems root's group is either
    other
    or
    sys
    .
  3. Change the user substitution rules for USER._default as follows:
    • nobody
      as owner
    • Default access
      none
    • Authorize root to substitute to any undefined user
    • Authorize the administrators' group to substitute to any undefined user
    Changing the rules prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any user, unless explicitly denied.
    You specifically authorize root to permit programs such as dtlogin to switch session ownership from root, the default X window owner (uid=0), to anyone else. If you do not do this, login attempts fail because
    Privileged Access Manager Server Control
    is blocking any user substitution activity that has not been explicitly authorized.
  4. Change the group substitution rules for GROUP._default as follows:
    • nobody
      as owner
    • Default access
      none
    • Authorize root to substitute any undefined groups
    • Authorize the administrators' group to substitute to any undefined group
    Changing the rules prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any group, unless explicitly denied.
Example: Set Basic User Substitution Rules in selang
Use the following selang commands to set basic user substitution rules in your environment:
nr surrogate USER.root defacc(n) own(nobody) auth surrogate USER.root gid(sys_admin_GID) acc(a) nr surrogate GROUP.other defacc(n) own(nobody) auth surrogate GROUP.other gid(sys_admin_GID) acc(a) cr surrogate USER._default defacc(n) own(nobody) cr surrogate GROUP._default defacc(n) own(nobody) auth surrogate USER._default uid(root) acc(a) auth surrogate GROUP._default uid(root) acc(a) auth surrogate USER._default gid(sys_admin_GID) acc(a) auth surrogate GROUP._default gid(sys_admin_GID) acc(a)