Surrogate to USER.root does not work when changing password
search cancel

Surrogate to USER.root does not work when changing password

book

Article ID: 388780

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Trying to change the password for a user who has a surrogate to root results in failure

In some machines this works

The traces show the following

18 Feb 2025 15:29:06> EXECsu  : P=143777 U=909832 G=15000 (D=fd00     I=6599167) Pgm:/usr/bin/passwd
18 Feb 2025 15:29:06> EXECARGS: 'passwd' 
18 Feb 2025 15:29:06> INFO    : Cache [SET] fn=/usr/bin/passwd un=<user> prog=<program> acc=80
18 Feb 2025 15:29:06> EXEC    > Result: 'P' [stage=201 gstag=200 ACEEH=9    rv=0(/usr/bin/passwd)]
        Why?    Class checks not active
18 Feb 2025 15:29:06> FORK    : P=143777 U=909832 G=15000 Child=143778 ACEEH=9     F=80000001 Pgm:/usr/bin/passwd
18 Feb 2025 15:29:06> SUID    : P=143778 U=909832 (R=909832 E=0    S=0   ) to USER.root (R=0    E=0    S=0   ) D=0000fd00 I=6599167
18 Feb 2025 15:29:06> SUID    > Result: 'D' [stage=69 gstag=0  ACEEH=9    rv=0]
        Why?    No Step that allowed access

If one adds <user> under a Surrogate-enabled group or one adds an accessor to Surrogate User.root to <user> this works fine. In some machines, this works and the trace shows the following behaviour

20 Feb 2025 12:57:33> EXECsu  : P=111455 U=909832 G=15000 (D=fd00     I=4292779) Pgm:/usr/bin/passwd
20 Feb 2025 12:57:33> EXECARGS: 'passwd' 
20 Feb 2025 12:57:33> INFO    : Cache [SET] fn=/usr/bin/passwd un=xe26298 prog=<program> acc=80
20 Feb 2025 12:57:33> EXEC    > Result: 'P' [stage=59 gstag=59 ACEEH=25   rv=0(/usr/bin/passwd)]
        Why?    Resource UACC check
20 Feb 2025 12:57:33> FORK    : P=110313 U=909832 G=15000 Child=111455 ACEEH=25    F=80000c05 Pgm:/usr/bin/passwd

Cause

On some platforms the system's su binary works in a non-standard way: When an su to non-root user is requested, it executes su to root prior to executing su to the requested user. If CA Privileged Access Manager Server Control surrogate protection is set for the root user, it may prevent the successful execution of an su to non-root users as well.

Resolution

To use the surrogate protection for the root user on such platforms and still be able to su to non-root users without interruption, set the bypass_suid_program token in file seos.ini to contain the real path to the passwd command and restart seosd


; Default Value: none
; bypass_suid_program =/usr/bin/passwd

Powered by Wolken Software