Make your own free website on Tripod.com
Make your own free website on Tripod.com

 

CaclMgr TM

This web site is outdated, please check our company's new web site at https://www.wziss.com/


What is CaclMgr?

Why need CaclMgr?

 

In method 1, the problem is it is very difficult to make sure that account can't be used to get other system access. In some cases it is even impossible.
In method 2, many executables need be setuid and C programs need be developed and setuid for each scripts to grant the account root privilege on those commands. The difficulty is it requires the programmers who develop such C programs having very good knowledge on UNIX system programming and UNIX security, otherwise such a wrapper can easily result in security holes. Another problem is it is very difficult to maintain/manage/control all these setuid executables reside here and there. For example, it may not be easy to find out all setuid commands a specific user has execution permission, or remove an user from all sensitive commands.
CaclMgr provides a full set of carefully designed commands to ease privilege management on commands. For example, to grant user staff1 the privilege to run shutdown command:
  As root, run
    cacl -a staff1 /usr/sbin/shutdown
This command will create a record in CaclMgr's database, saying thatstaff1 is allowed to su root when execute /usr/sbin/shutdown. Next time, staff1 can shutdown the server by running
    cacl -e root /usr/sbin/shutdown
Here, cacl will check CaclMgr's database to verify that the user who running this command is really trusted to su root to run /usr/sbin/shutdown and the /usr/sbin/shutdown file is the original as recorded.
By using CaclMgr, privileged users can easily manage their privileges to be used by others. For example, to verify what commands you have granted to user U, just run
    cacl -c U
If you want to know who have the right to use your ID to run command cmd, call
   
cacl -c /the-path-to/cmd
To revoke user U's right to use your ID to execute command cmd, simply run
   
cacl -r U cmd
To show who have used your ID to run commands, type
   
cacl -p

Compared with other similar software, CaclMgr is more user friendly: every user can easily control his or her uid to be used by others by himself or herself, and each user can easily check the whole status: What commands have been executed by other users using my uid? What commands have I given my uid for user B to run?

CaclMgr also provides more helps to system administrators and other privileged users to maintain good security in privilege granting.

First, CaclMgr provides the most advanced control over which environment variables are allowed be passed on to a command executed under it. Uncontrolled environment variable setting is the biggest security threat for letting other users to use your privilege to run commands.

Second, when you using CaclMgr to grant a command for some other users to run using your uid, CaclMgr will record down the checksum of the command file so that when a user tries to execute the command using your uid, CaclMgr will verify again and refuse to run if that command has been changed.

System administrators and users without very good UNIX security knowledge will also be benefited from the system wide warnning feature:
/etc/CaclMgr/CaclMgr.warn
When you try to grant others the permission to use your uid to execute a command listed in this file, CaclMgr will give you a warnning as the commands listed in the file are considered very dangerous: for example, if you grant a user to use your uid to execute the "view" command, what could happen? You think the "view" command will only allow the user to read your files right? No!!!

Experienced system administrators and security officers could also update this file when they find some more commands are dangerous to be executed under different UID.

Please read the CaclMgrVersion.readme file included in the package for more security features of CaclMgr.

You can download the software and apply for a free DEMO license from our Home Page

For more info, please contact us.


Nedstat Counter