After ssh into an AIX endpoint user is always root
search cancel

After ssh into an AIX endpoint user is always root

book

Article ID: 400984

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

It has been noticed that in some AIX machines no matter what user is logged in to

12 Jun 2025 16:35:48> SETGRPS : P=53346716 to 30100,195,196.

12 Jun 2025 16:35:48> SGID    > P=53346716 U=0    (RG=30100 EG=30100 SG=30100) to (RG=30100 EG=30100 SG=30100) () BYPASS

12 Jun 2025 16:35:48> FILE    : P=53346716 (/usr/sbin/sshd-session) U=0    (D=a0004    I=19030 )     READ  :/etc/passwd

12 Jun 2025 16:35:48> FILE    > (/usr/sbin/sshd-session) Result: 'P' [stage=61 gstag=61 ACEEH=1    rv=0(/etc/passwd)]

                Why?    User is OPERATOR on resource

12 Jun 2025 16:35:48> FILE    : P=53346716 (/usr/sbin/sshd-session) U=0    (D=a0004    I=19624 )     READ  :/etc/security/passwd

12 Jun 2025 16:35:48> FILE    > (/usr/sbin/sshd-session) Result: 'P' [stage=61 gstag=61 ACEEH=1    rv=0(/etc/security/passwd)]

                Why?    User is OPERATOR on resource

12 Jun 2025 16:35:48> SUID    : P=53346716 U=0    (R=0    E=0    S=0   ) to USER.gv44801 (R=89956 E=89956 S=89956) D=000a0005 I=200174

12 Jun 2025 16:35:48> SUID    > Result: 'P' [stage=59 gstag=1059 ACEEH=1    rv=0]

                Why?    Default record universal access check

12 Jun 2025 16:35:48> SUID    > P=53346716 U=0    (R=89956 E=89956 S=89956) to (R=89956 E=89956 S=-1  ) () BYPASS

12 Jun 2025 16:35:48> SGID    > P=53346716 U=0    (RG=30100 EG=30100 SG=30100) to (RG=-1   EG=30100 SG=-1  ) () BYPASS

12 Jun 2025 16:35:48> SGID    > P=53346716 U=0    (RG=30100 EG=30100 SG=30100) to (RG=-1   EG=30100 SG=-1  ) () BYPASS

12 Jun 2025 16:35:48> SUID    > P=53346716 U=0    (R=89956 E=89956 S=89956) to (R=-1   E=89956 S=-1  ) () BYPASS

Then

$ sewhoami -a
root
ACEE Contents
  User's Name             : root
  ACEE's Handle           : 1
  Group Connections Table:
    Group Name                                         Connection Mode
    ================================================   ===============
    system                                             Regular 
    tivlogs                                            Regular 
Categories              : <None>
Profile Group           : <None>
Security Label          : <None>
User's Audit Mode       : Failure LoginSuccess LoginFailure 
User's Security Level   : 0
Source Terminal         : <Unknown>
Process Count for ACEE  : 158
User's Mode             : Operator 
ACEE's Creation Time    : Thu May 29 12:22:56 2025

Environment

PAM SC 14.1.x on AIX

Cause

The SSHD LOGINAPPL must be changed to allow this login as required

Resolution

The following rule

nr LOGINAPPL SSHD loginpath(/usr/sbin/sshd-session) loginflags(none) loginsequence(SGRP, SUID, SEID) loginmethod(normal) defacc(x)

should solve the problem

Powered by Wolken Software