Set Basic User Substitution Rules
Before you start using the sesu utility, you should set up some common user substitution rules in the database. These rules prevent unknown users undesirably substituting privileged user accounts, but permit specific users and processes to perform necessary user substitution activities.
cminder12902
Before you start using the sesu utility, you should set up some common user substitution rules in the database. These rules prevent unknown users undesirably substituting privileged user accounts, but permit specific users and processes to perform necessary user substitution activities.
To set basic user substitution rules
- Create a surrogate resource for the root user (USER.root) with the following attributes:
- nobodyas owner
- Default accessnone
- All administrators should have full control
This prevents all users from substituting root, unless explicitly authorized. All administrators are explicitly authorized to substitute root.You can authorize individual administrators separately or authorize all administrators using the administrator's group. - Create a surrogate resource for root's group (GROUP.other) with the following attributes:
- nobodyas owner
- default access ofnone
- All administrators should have full control
This prevents all users from substituting root's group, unless explicitly authorized. All administrators are explicitly authorized to substitute root's group.On most UNIX systems root's group is eitherotherorsys. - Change the user substitution rules for USER._default as follows:
- nobodyas owner
- Default accessnone
- Authorize root to substitute to any undefined user
- Authorize the administrators' group to substitute to any undefined user
This prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any user, unless explicitly denied.You need to specifically authorize root to permit programs such as dtlogin to switch session ownership from root, the default X window owner (uid=0), to anyone else. If you do not do this, login attempts will fail because CA ControlMinder is blocking any user substitution activity that has not been explicitly authorized. - Change the group substitution rules for GROUP._default as follows:
- nobodyas owner
- Default accessnone
- Authorize root to substitute any undefined groups
- Authorize the administrators' group to substitute to any undefined group
Example: Set Basic User Substitution Rules in selang
Use the following selang commands to set basic user substitution rules in your environment:
nr surrogate USER.root defacc(n) own(nobody) auth surrogate USER.root gid(sys_admin_GID) acc(a) nr surrogate GROUP.other defacc(n) own(nobody) auth surrogate GROUP.other gid(sys_admin_GID) acc(a) cr surrogate USER._default defacc(n) own(nobody) cr surrogate GROUP._default defacc(n) own(nobody) auth surrogate USER._default uid(root) acc(a) auth surrogate GROUP._default uid(root) acc(a) auth surrogate USER._default gid(sys_admin_GID) acc(a) auth surrogate GROUP._default gid(sys_admin_GID) acc(a)