Ignite-UX

why can only root can run make_recovery?

 
SOLVED
Go to solution
Tom Gore
Regular Advisor

why can only root can run make_recovery?

Why is root the only signon that can run make_recovery?

What would I need to do to allow another signon (our operators) to run make_recvoery? I want them to be able to use their individual sign ons to run make_recovery, but not be "all powerful" like root.

Thanks
17 REPLIES 17
Mark Grant
Honored Contributor

Re: why can only root can run make_recovery?

I imagine that it'd partly becuase you need read access to all files in order to back them up. You don't want to give users read access to all your configuration.
Never preceed any demonstration with anything more predictive than "watch this"
Pete Randall
Outstanding Contributor

Re: why can only root can run make_recovery?

Tom,

Why? It's part of an administrator's job to make sure the system is adequately protected from catastrophic failure. There may also be some security issues.

In order to delegate this task, look into "sudo":

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

Sudo can be set up to allow non-root users access to various commands just like they were actually logged in as root.


Pete

Pete
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: why can only root can run make_recovery?

Consider this: Unless a super-user runs make_recovery how could you be assured that all files would be accessible? You could use sudo to give this capability to your operators.
If it ain't broke, I can fix that.
Patrick Wallek
Honored Contributor

Re: why can only root can run make_recovery?

The make_recovery and make_tape_recovery processes MUST be able to read all files in VG00 and must be able to execute certain OS commands and utilities. root is the only id with this access.

You could install something like sudo, which would allows users to run commands as root without knowing the root password. You could then write a script that would run your make_recovery (you really should be using make_tape_recovery) and then set sudo up to allow your operators to run this command via sudo as root, but they still don't know the root passwd


Sudo can be obtained from:

HP Porting Centre
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.7p5/

or

The actual home of sudo:
http://www.courtesan.com/sudo/
Steven E. Protter
Exalted Contributor

Re: why can only root can run make_recovery?

Only root has the access needed to do a make_recovry backup.

make_recovery is obsolete you should be using make_tape_recovery

I have that job run out of root cron. Operations just puts the tapes in before 2 p.m. on Friday.

I am attaching a good script.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Tom Gore
Regular Advisor

Re: why can only root can run make_recovery?

Thanks to all. I was not aware of sudo. I will look into that and see if this is something that can loaded on the system (have to get the proper authorization, etc from the managers). In the meantime, I may try the cron solution.

One question to Steven-how do you handle the holidays when nobody is there to load the tape?
Tom Gore
Regular Advisor

Re: why can only root can run make_recovery?

Steven-I just thought of another issue. Every once in a while our ignite backup goes to more than one tape. If the job is in cron what notification is there that another tape needs to be loaded? Rignt now, since it is being run "interactive" the operator is presented with a message to load another tape. Also, if it runs on a day when there is no operator present (holidays), what will happen?

Thanks
Patrick Wallek
Honored Contributor

Re: why can only root can run make_recovery?

With regard to holidays, you could set up a file with your company holidays in it and modify your script so that it does something like:

if [ not a holiday ]
then
run make_tape_recovery
else
don't run it
fi

A. Clay Stephensons caljd.sh or caljd.pl script could help you with this. Try searching the forums on "caljd holiday" and see what turns up.

With regard to the multiple tape issue -- if you are running make_tape_recovery from cron, there is *NO* notification about it needing a second tape, the job will fail! Since cron is non-interactive there is no terminal for make_tape_recovery to send a prompt to and it will, I believe, record such an error in its log.

Sudo is probably your best bet.

Another thought I just had though is you could try writing a script that will run the make_tape_recovery command and then make that script executable and a set-uid script, change the owner to root, the group to something that only your operators have, and then let them run it from there. That *SHOULD* work, but I am not certain.
Tom Gore
Regular Advisor

Re: why can only root can run make_recovery?

Patrick-thanks for your input. I went looking for setuid. All I found was the man page. Where can I get setuid?