topic Re: Delegate start/stop services to regular user in Operating System - HP-UX

Delegate start/stop services to regular user

Jorge Fabregas — Wed, 08 Oct 2003 17:48:00 GMT

Hello everyone,

We're running Oracle 9iAS on two nodes (application server and database server). I would like to let a regular user start/stop services on the application server.

To do this, the user must be oracle and group dba. I did my homework and I tried to accomplish this via SUID but unfortunately that didn't work. First of all, let me tell you that SUID works for scripts (many people think that it only works for binary executables). The problem I had was that everytime the script runs: the UID and GID remains as that of the regular user (and not oracle:dba). I placed the "id" command on the script and then executed the script as "jose". The output of the id command was:

uid=107(jose) gid=20(users) euid=103(oracle) egid=103(dba)

And then when it was the section to run the oracle commands (dcmctl in this case) I had a bunch of erros. Somehow, these oracle programs (dcm etc...) will look for UID and GID (besides EUID AND EGID).

I even created a c program that calls the script (and the I used SUID and GUID for this program) but I had the same results.

So, my question is...is there a way a regular user can run a script as another user (even with UID and GID as that of the other user) ..not just EUID and EGID?

Can SUDO accomplish this?

Thanks,
Jorge

Re: Delegate start/stop services to regular user

Patrick Wallek — Wed, 08 Oct 2003 18:00:54 GMT

Sudo is designed to allow non-root users to run commands/programs/scripts as root.

What you could do is write a script that does something like:

#/usr/bin/sh
su - oracle -c "run_the_start_script"

Set the permissions on the above script so it is just executable by root. Then set up sudo so that the user can then run that script, which will then su to oracle and run your startup script.

Re: Delegate start/stop services to regular user

Jorge Fabregas — Wed, 08 Oct 2003 18:13:16 GMT

Ahhhhhhh Thanks Patrick! That's the kind of solution I was looking for!

I thought about these 2 possible work-arounds:

1> use sudo...but then I thought exactlhy what you mention: sudo is for regular-users to run programs as root (not my case..since I want user to user interaction) .... option 1 discarded

2> create a script using the su line you mention..but then I thought: this user won't be root so the "su" command is going to prompt for a password...then I thought about the "expect" command...and also thought about not liking to hard-code the oracle password in the script..so....option 2 discarded

and now you came with the best of both worlds! THANKS AGAIN!

Re: Delegate start/stop services to regular user

Keith Bevan_1 — Thu, 09 Oct 2003 07:29:59 GMT

Jorge,

Sudo is probably your best option as Patrick has already suggested.

Sudo represents only one solution and even though it is free there is another more friendly product call UPM (Unix Privilege Manager) which is distributed by PASSGO (aka Symantec offshoot).

Have a look at the product information just for a comparison :-

http://www.passgo.com/products/upm/index.htm

Hope this helps.

Keith

Re: Delegate start/stop services to regular user

Bill Hassell — Thu, 09 Oct 2003 08:19:39 GMT

Using SUID on scripts is usually the hackers first method to crack your system. Thus, it is not easy (and certainly not desirable) to have any SUID scripts at all. Indeed, one of your first tasks to would be to remove SUID capability from mountpoints that have user access or will never need executables. Examples of nosuid would be:

/tmp /var /home
and of course, all Oracle mountpoints for data, index, logs, etc.

sudo is the preferred choice because it logs all activities and you control exactly what each user can do (to the point of specific programs and evemn restricted parameters).

Re: Delegate start/stop services to regular user

Sanjay_6 — Thu, 09 Oct 2003 08:30:05 GMT

Hi Jorge,

I've user a licensed software called powerbroker which is quite good. You can download a evauluation copy from their website.

http://www.symark.com

Hope this helps.

Regds
Sanjay