Description

There are a couple of issues with running BoKS on certain versions of AIX VIO.

1.

System Administration tasks on the AIX VIO is typically carried out by logging in as the padmin user and and thereafter run the oem_setup_env command which starts a root shell. However although this is a root shell there are certain limitations that may be run into due to that the padmin user logs in with a restricted shell or that the root privileges are granted via RBAC (or a combination).

If the BoKS daemons are recycled from within the oem_setup_env command (via /etc/rc.boks or $BOKS_sbin/Boot) the result is that all users logging in to the system thereafter will become root.

Starting up the native AIX sshd, /usr/sbin/sshd, this way will also result in the same problem. This is caused by a bug in VIOS and not in BoKS. See Solution 1. below for fixed version.

2.

The AIX VIO administration interface requires AIX RBAC and the RBAC configuration may be changed even in minor updates from IBM. BoKS can optionally manage RBAC with the Extensible Role Based Access Control, or xRBAC, functionality and may overwrite updates to AIX RBAC causing problems.



Resolution / Workaround

1.

Upgrade VIOS to at least version 2.2.3.0, fixpack 25 sp 1.

For other workarounds, see KB #10563 - "Advisory: Normal users logged in as root on AIX VIO".

2.

If you are using xRBAC it is very important that you disable it for the AIX VIO hosts by enabling the flag rolesettest with hostadm, otherwise you risk overwriting the AIX RBAC configuration which can make the administration interface unavailable:

# hostadm -m -h hostname -A rolesettest


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 28, 2019