- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Enable user other than root to run make_tape_recov...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2006 07:23 AM
тАО12-13-2006 07:23 AM
Enable user other than root to run make_tape_recovery?
Sudo is not an option, and I've tried setting permissions on make_tape_recovery itself to 4777, which did not work.
Does anyone know of any other workarounds to get this to function?
Thanks-
Stacey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2006 07:41 AM
тАО12-13-2006 07:41 AM
Re: Enable user other than root to run make_tape_recovery?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2006 07:53 AM
тАО12-13-2006 07:53 AM
Re: Enable user other than root to run make_tape_recovery?
You can create a small C 'setuid' wrapper around a shell script. The shell script executes whatever you need and will run as the 'root' user. For example:
# cat /root/makerecovery.sh
#/usr/bin/sh
make_tape_recovery -x inc_entire=vg00 -I -v -a /dev/rmt/0mn && mt -t /dev/rmt/0m offl > /dev/null 2>&1
...Now, create a tiny C program
# cat /root/makerecovery.c
#include
int main()
{
int rslt = 0;
rslt = setuid(0);
if (rslt == 0) {
rslt = system("/root/makerecovery.sh");
}
exit(rslt);
}
...and compile it:
# cc /home/makerecovery.c -o /root/makerecovery.o
Then:
# chown root:root /root/makerecovery.sh
# chmod 500 /root/makerecovery.sh
# chown root:oper /root/makerecovery.o
# chmod 4550 /root/makerecovery.o
Provide this to you computer operators. They can execute '/root/makerecovery.o' and when it runs, it will run as the 'root' user. The '/root/makerecovery.sh' cannot be modified except by the root user. Make sure that the directory in which it resides is not writable by anyone other than root, too. You don't want someone to replace what you have with something else!!!
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2006 09:26 PM
тАО12-13-2006 09:26 PM
Re: Enable user other than root to run make_tape_recovery?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2006 09:29 PM
тАО12-13-2006 09:29 PM
Re: Enable user other than root to run make_tape_recovery?
the reason the 4 din't work is because you have to be root to execute
make_tape_recovere
and the normal setings are:
-r-xr-xr-x 2 bin bin 471040 Sep 15 03:34 make_tape_recovere.
ps what is the problem whit sudo?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2006 01:11 AM
тАО12-14-2006 01:11 AM
Re: Enable user other than root to run make_tape_recovery?
Then the operator only needs to change the tape periodically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2006 01:59 AM
тАО12-14-2006 01:59 AM
Re: Enable user other than root to run make_tape_recovery?
The wrapper idea appears to be the best one for now, so will look into that.
Thanks-
Stacey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2006 11:56 AM
тАО12-14-2006 11:56 AM
Re: Enable user other than root to run make_tape_recovery?
Scenario 1)Done in script and invoked by inetd
Operator put tape in drive
Walk over to his PC and start a browser
Enter the url...
http://servername:port
and then the make_tape recovery starts...
Could be done by:
- create a script with make_tape_recovery command ex. /script/MkIgniteTape
- create an entry in /etc/services
ex. IgniteTape 8010/tcp
- create an entry in /etc/inetd.conf
ex. IgniteTape stream tcp nowait root /script/MkIgniteTape MkIgniteTape
Precautions:
* make sure no other program uses the port
* any connections towards this port will start the script/command (not smart together with port scanners)
-----
I've been using this for invoking ftp retrieval from insecure system towards the server. Better than let them login with ftp and put files. They just knock on the port when I'll fetch the files with my script.
I use pidfile file to avoid multiple paralell startups
Scenario 2) Done by login script
Operator put tape in drive
Walk over to a terminal and login with a specific user.
The login shell will start the make_tape_recovery
Could be done by:
- create a script with make_tape_recovery command ex. /script/MkIgniteTape
- Add the script to /etc/shells
- create a user with the script as login shell.
- when script is exited, the user is logged off.
Precautions:
* Do not stop for operator input unless the script avoid "breakout" attempts (ex. if you start vi in this script, the user could run commands from vi without exiting)
----
Previously when we spooled from HP-UX, I used the 2'nd method several years for spool administration.
This script was putting up an operator menu.
To avoid breakout I used:
#! /usr/bin/sh
# Disable Ctrl+C and interrupts
trap 'print "\aProgram is terminated";rm $TMPFILE;exit' 1 2 3
TMPFILE="/tmp/Operator.$$"
:-) Tor-Arne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2006 08:57 PM
тАО12-14-2006 08:57 PM
Re: Enable user other than root to run make_tape_recovery?
a file whit the settings 4750
#!/sbin/sh
/opt/ignite/bin/make_tape_recovery -x inc_entire=vg00 -x inc_entire=vg01
-x exclude=/depots
can do the trick. extra userchack can be added.
if you trust the execuret you can alsow ad a extra root user, this user can do everyting that root can do...
ignite:*:0:3::/root:/sbin/sh
ps sudo can be configured so that 1 ore more users can execute only this comand. and noting els.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-15-2006 02:44 AM
тАО12-15-2006 02:44 AM
Re: Enable user other than root to run make_tape_recovery?
Apparently make_tape_recovery is insisting that root run it.
HP Operator> ./makerecovery
ERROR: Must have root capability to use make_net_recovery or
make_tape_recovery
Thanks for your help, gentlemen.
Stacey