RootAsRole Command matching

Role Conflict resolution

As you may know with this RBAC model, it is possible for multiple roles to reference the same command for the same users. Since we do not ask by default the role to use, our tool applies an smart policy to choose a role using user, group, command entry and least privilege criteria. We apply a partial order comparison algorithm [Abedin et al. 2006] to decide which role should be chosen :

  • Find all the roles that match the user id assignment or the group id, and the command input
  • Within the matching roles, select the one that is the most precise and least privileged :
    1. exact command is more precise than command with regex argument
    2. command with regex argument is more precise than a wildcarded command path
    3. wildcarded command path is more precise than wildcarded command path and regex args
    4. wildcarded command path and regex args is more precise than complete wildcard
    5. A task granting no capability is less privileged than one granting at least one capability
    6. A task granting no insecure capability is less privileged than one at least one insecure capability
    7. A task granting insecure capability is less privileged than one granting all capabilities.
    8. A task without setuid is less privileged than one has setuid.
    9. if no root is disabled, a task without 'root' setuid is less privileged than a task with 'root' setuid
    10. A task without setgid is less privileged than one has setgid.
    11. A task with a single setgid is less privileged than one that set multiple gid.
    12. if no root is disabled, A task with multiple setgid is less privileged than one that set root gid
    13. if no root is disabled, A task with root setgid is less privileged than one that set multiple gid, particularly using root group
    14. A task that requires authentication is less privileged than one that doesn't
    15. A task that keeps safe PATH values is less privileged than one that doesn't
    16. A task that keeps unsafe PATH values is less privileged than one that keep it safe
    17. A task that keeps environment variables is less privileged than one that doesn't
    18. A task that enables root privileges is less privileged than one which disables root privileges (see "no-root" feature)
    19. A task that disables the Bounding set feature in RootAsRole is less privileged than one that enables it
    20. user assignment is more precise than the combination of group assignment
    21. the combination of group assignment is more precise than single group assignment

After these step, if two roles are conflicting, these roles are considered equal. In this case if execution settings are totally equal, no matter which role is chosen, it execute the asked command. If execution settings are different, there is a conflict, so configurator is being warned that roles could be in conflict and these could not be reached without specifing precisely the role to choose (with --role or/and --task option). In such cases, we highly recommend to review the design of the configured access control.