Operating System - HP-UX
1748165 Members
4254 Online
108758 Solutions
New Discussion юеВ

Help getting swinstall restricted

 
Andres_13
Respected Contributor

Help getting swinstall restricted

Hi all,

In your experience what is the best way to restrict the use of swinstall in order to gain change management...

I'm think sudo could be a good one just want to know your opinion...

Regards!
4 REPLIES 4
Bill Hassell
Honored Contributor

Re: Help getting swinstall restricted

swinstall is like any of the command in /usr/sbin...root only commands. It will fail when trying to install patches or applications that affect restricted files and directories. swinstall is like pax or tar -- anyone can run the command but what it affects is limited by the proper ownership and permissions given to the system directories and files.

sudo is simply a way to temporarily elevate privileges -- but there is no reason to use sudo if the sudoers file is a list of users with ALL ALL privileges. Just give the users the root password -- it accomplishes the same thing. A proper sudo file will restrict every user to a few commands, most with restricted arguments.

For instance, if a user wants to mount and umount a CD, that user is only allowed to reference the CD device file and /cdrom. Anything else and the command fails and the attempt is logged for the auditors.

Good change control carries a lot of overhead -- only certain people can do anything and only after change control approvals have been completed. Picking on swinstall is not the answer. All sysadmin tasks must be examined and then restricted to only a few.


Bill Hassell, sysadmin
Andres_13
Respected Contributor

Re: Help getting swinstall restricted

Good point Bill, there's a lot of things you ougth keep in mind...

So you think "divide and conquer" would be a good approach?

I'm actually never had used sudo, let me read tha manual and i'll be back, luckily, with more specific questions.
Kapil Jha
Honored Contributor

Re: Help getting swinstall restricted

I think by default swinstall can only be run by root user, in which way you want to restrict use of swinstall.
from ur message it seems that you want to allow some users to have access to run swinstall.

Apart from sudo there are other 3rd party tools as well, one very good I worked on is powerbroker from Symark.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
mvpel
Trusted Contributor

Re: Help getting swinstall restricted

Powerbroker "good?" Hmmm...

You may want to have a look at swacl, though it may not be quite what you're looking for:

http://www.docs.hp.com/en/B2355-90692/swacl.1M.html
---
All root filesystems, software depots, and products in software depots are protected by ACLs. The SD commands permit or prevent specific operations based on whether the ACLs on these objects permit the operation. The swacl command is used to view, edit, and manage these ACLs. The ACL must exist and the user must have the appropriate permission (granted by the ACL itself) in order to modify it.
---