How the dynamic mapping from an OS user to a logical SEOS user is working

Document ID : KB000100153
Last Modified Date : 19/06/2018
Show Technical Document Details
This article demonstrates how the dynamic mapping from an OS user to a logical SEOS user is working.

With this feature it is possible to, e.g. like in this example, allow access as a logical SEOS user to an (e.g. FILE) resource while the access is being performed by a specific process only (SPECIALPGM).

(The example was prepared and verified in a RH 7.5 box)
- prepare the resource (create a new file and allow all access to it from an OS perspective)
  # touch /tmp/testfile
  # chmod a+w /tmp/testfile
- create a test user in the OS and PIM
  AC> nu tester password(mypwd) unix
- define the resource and access to it in PIM
  AC> ef /tmp/testfile owner(nobody) defaccess(none) audit(all)
  AC> authorize file /tmp/testfile uid(tester) access(all)
  (i.e. only tester has access to the resource)
- define the specific process which maps requests to the logical user
  AC> er specialpgm /usr/sbin/sshd unixuid(root) seosuid(tester)
  (i.e. requests by root coming via sshd are mapped to tester)
- to now see the feature in action
  AC> rr loginappl SSH
  (by default PIM identifies the real user coming via SSH, with this step all users coming via sshd are logically root as the sshd process runs as root)

  In a new SSH and a TTY(console) session
  login as: root (or any other user you have defined on this box)
  in both sessions run
  # touch /tmp/testfile
  In the TTY session find:
  touch: cannot touch ‘/tmp/testfile’: Permission denied
  In the SSH session find access to the file granted
  # seaudit -a -st now-1
  indicates that the access has been performed as tester
Additional Information:
More information about the SPECIALPGM class and how to use them you find