topic Re: LVM command in Operating System - HP-UX

LVM command

YLTan — Wed, 23 Apr 2003 01:27:00 GMT

I notice that all the lv's , pv's , vg's command such lvlnboot, pvdisplay, vgchange, etc. have its uid and gid set to 4000 and 2000.

This means a non-root users can also executed those commands on lv, pv and vg.

Does this pose a considerable problems in configuration to the system when some non-users just execute it without knowing its impact?

Can I reset those uid and gid for these commands? Will it have any impact on its execution?

Re: LVM command

Patrick Wallek — Wed, 23 Apr 2003 01:37:54 GMT

Here are the permissions for all of my lv*, pv* and vg* commands. They are all owned by root with the group sys. If yours are different they are definitely NOT RIGHT.

My next step would be to figure out why they are different.

Good luck.

root@hquas06:/usr/sbin->ll lv* pv* vg*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvextend*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvlnboot*
-r-xr--r-- 1 bin bin 143360 Nov 6 1997 lvmmigrate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvreduce*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvrmboot*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvck*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvmove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcfgbackup*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcfgrestore*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgchgid*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgexport*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgextend*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgimport*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgreduce*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgscan*
root@hquas06:/usr/sbin->

Re: LVM command

John Poff — Wed, 23 Apr 2003 01:40:18 GMT

Hi,

I'm pretty sure that you have to be root to execute those commands. The commands are probably coded so that they check your UID when you run them and they make sure you are root.

When you say the UID and GID are set to 4000 and 2000, do you mean the ownership of those command file executables? My guess is that they should probably be root:sys or bin:bin or something along those lines.

JP

Re: LVM command

Michael Tully — Wed, 23 Apr 2003 01:47:45 GMT

You should never allow access to commands like lvlnboot, vgchange and pvcreate. They could terrible damage. The dislay programs are okay to use. The onwership are root:sys

Re: LVM command

Patrick Wallek — Wed, 23 Apr 2003 01:49:54 GMT

I just tried an experiment and logged in as a normal user (not root) and I could run /usr/sbin/lvdisplay and /usr/sbin/vgdisplay. I didn't try any of the others but they MAY work as well.

Now one thing I did have to do is specify the FULL PATH to the commands since /usr/sbin is not normally in a normal users path and it should really never be.

I don't know if it would hurt to take execute permission off of world for those commands or not. If you are really paranoid about security it may be something to test out and see how it works.

Re: LVM command

Michael Tully — Wed, 23 Apr 2003 01:51:14 GMT

In addition, some of these commands have their own in built protection:

e.g.
$ lvlnboot -v
Must be root to use this command.

If users must have this type of access, install 'sudo'
You can get it from here:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Re: LVM command

S.K. Chan — Wed, 23 Apr 2003 02:43:10 GMT

With the the same permission and ownership of all the vg*,lv* & pv* commands (like shown by Patrick) in /usr/sbin I can only run these ..
- vgdisplay
- lvdisplay
- pvdisplay
.. as normal user. The rest of the commands can only be run as root. So you can actually leave the permissions and ownerships unchanged.

Re: LVM command

James R. Ferguson — Wed, 23 Apr 2003 11:03:06 GMT

Hi:

If you examine the output of Patrick's 'ls' command you will immediately note that the LVM binaries listed have multiple links (in fact, 26 in his listing). If you would further examine these binaries you can find that *all* of them are actually the *same* binary file. They are all hard-links to a single piece of code. Hence, any change in permissions or ownership to one link is reflected in every link.

An easy way to show their commonality is to do:

# ls -il /usr/sbin/lvchange

...note the inode number (e.g. 15042 on one of my systems). Then look for all files matching this inode:

# ls -il /usr/sbin|grep 15042

...you will thus expose all of the common binaries in Patrick's post.

Regards!

...JRF...

Re: LVM command

John Poff — Wed, 23 Apr 2003 13:13:24 GMT

Hi,

I tried some of the commands on a test system here this morning as a non-root user. I can do the display commands [vgdisplay, lvdisplay, etc.] but when I tried to do an lvextend it complained, "Must be root to use this command".

It looks like the binaries do check to make sure you are root before you do something dangerous.

JP

Re: LVM command

YLTan — Sun, 27 Apr 2003 08:53:40 GMT

Hi All,

Thanks for all the help.

Why did HP put uid and gid in those commands as defaults installation? It is misleading.

Re: LVM command

Robert-Jan Goossens — Sun, 27 Apr 2003 10:55:26 GMT

Hi,

Take a look at this doc, it explains the why and what.

Docid: A4318288D
Mechanism used to prevent regular user from running LVM commands

Europe and Asia
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062938676

US
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062938676

Hope it helps,

Robert-Jan.