The benefits of this approach include:
- The user enters the system in normal user mode, not superuser mode, thereby defeating any attempt to place a Trojan horse command in their logon script.
- “Accident insurance” by ensuring powerful commands aren’t available until needed; more than one user has issued what was meant to be a minor command and had unexpected results.
- The ability to enter and leave superuser mode without logging out of the system. One userid provides both normal and superuser capabilities.
The UNIXPRIV Class
The UNIXPRIV class houses profiles that subdivide superuser privileges. By determining which privileges a user actually requires, it becomes possible to grant those powers to a non-zero uid.
The UNIXPRIV class in RACF is designed to grant Unix superuser privileges on a granular basis. The class must be RACLISTED and global access checking isn’t supported. Auditing of profile usage is different. Whereas most profile access failures are logged, UNIXPRIV primarily logs successful accesses by default, RACLISTED profile usage isn’t logged and failure to gain access to these profiles isn’t a violation, but a denied attempt to use optional extra services.
There are several profiles available for the granular delegation of superuser privileges.
The SUPERUSER Profiles
There’s a set of profiles that grant pieces of superuser authorization—this means that security can give out only the necessary privileges where needed.
SUPERUSER.FILESYS grants access to all local (no access to NFS files granted by this profile) directories and files at the level of access listed below.
- READ access to this profile bestows read access to any local file and search/ read access to any local directory.
- UPDATE access to this profile grants read/write to any local file and search/ read access to any local directory.
- CONTROL or ALTER access to this profile grants read/write to all local files and search/read/write access to all local directories.
Authorizing a user to this profile may grant access to more files than desired. If there are files or directories to be excluded from this global authorization, defining another profile, SUPERUSER.FILESYS.ACLOVERRIDE, brings additional restrictions into play by means of using the Access Control Lists (ACLs) for the files and directories.SUPERUSER.FILESYS.ACLOVERRIDE is a discrete profile specifying that ACL controls take precedence over access granted by the SUPERUSER.FILESYS profile. However, access can still be granted for specific userids—if given the same level of access to this resource as granted by the SUPERUSER.FILESYS profile.
Another authorization profile is the SUPERUSER.FILESYS,** which grants all the file system privileges to these users granted access to this profile, according to their level of access.