Operating System - HP-UX
1748238 Members
3710 Online
108759 Solutions
New Discussion юеВ

Re: control editing of hosts file

 
Scott_14
Regular Advisor

control editing of hosts file

Hello:

I may have a need to have some users edit the /etc/hosts file to change printer items that are in here from time to time.
since this file is read only, and quite frankly not a good ideal to be doing this outside of an admin, I may not have a choice in this at this time.

Does anyone do any of this, where they may have to allow a user to edit it but out of fear of a mess up, have a way to contol it, or another work around?

Thanks
9 REPLIES 9
Victor Fridyev
Honored Contributor

Re: control editing of hosts file

Hi,

The simplest way is to give sudo permission to the users for a script, which before "vi /etc/hosts" creates a backup of the file, e.g as hosts.201001291131.
This allows you to restore the file in case of an error in the file editing.
If you don't trust the users, write a script, which asks for hostname and IP and replaces or adds appropriate string to /etc/hosts, use sudo and backup the hosts before editing.

HTH
Entities are not to be multiplied beyond necessity - RTFM
AVV
Super Advisor

Re: control editing of hosts file

Hi,

You can either use sudo or Restricted SAM for those users who need permission to edit hosts file
Scott_14
Regular Advisor

Re: control editing of hosts file

well, I knew there was not much hope, as I am doing it vi sudo now, and had thought of forcing a backup copy.
thought maybe there was something i did not cover.
thanks for your help.
scott
Tingli
Esteemed Contributor

Re: control editing of hosts file

You want to try this?

Set a specified group, and have file /etc/hosts with this group and chmod to 464. (the ownership is still root) Then give those guys the specified group as second group.
Bill Hassell
Honored Contributor

Re: control editing of hosts file

Each person that edits that file can bring your entire server offline with a single error. There is no way to protect server addresses separately from printers.

My preference is to never use printer names. Unless your network printing is out of control, these IP addresses don't change much and the hostnames for printers are used in only one area of HP-UX: the lp spooler. I use nothing but IP addresses for printers. If a printer address changes, I simply edit the interface script where the IP address is stored. The change takes place in real time -- no stopping of the spooler.

In your case, if you give some admins the ability to sudo not as root but as lp, you can limit the damage. A mistake in an lp script just stops one printer but doesn't affect the rest of the server.


Bill Hassell, sysadmin
Johnson Punniyalingam
Honored Contributor

Re: control editing of hosts file

sudo -> would be better choice "if you have couple of administrators , usually /etc/hosts file its belongs to "system files which take control of the resolving the hosts name - IP, if you d'not really have "Domain Controller" or you host name not configured has fully Qualified domain names.

Choices :-

either create script -> menu -> options -> to backup the exisiting orginal /etc/hosts file and than to edit /etc/hosts update and what you want and sendemail notfication that some has edited the /etc/hosts file so that if its mess you can quickly require from mess by resoter back the /etc/hosts from backup copy also provided from menu options

1)Operator Menu
2)Backup Current Host_file_Server_Name
3)Edit Host_File_Server_Name
4)Send Email Notification_Host_file_Changed
5)Restore Original Host file_Server_Name

I have worked on this "ISOMENU" bin which will give temporary Admin access for those operators work has Operation's like

"Every weekend Operator Use to "Bring down and Bring up" the MCSG - Cluster Server" Using the "OPerator Menu", Weekly Reboot Maintenance Activity

Hope this Helps,

Regards

Problems are common to all, but attitude makes the difference
Scott_14
Regular Advisor

Re: control editing of hosts file

Well, the situation we are in that has brought all this up is complicated to explain.
typically as an admin I would be ok doing this, but the control of this is being done by several areas.

I had looked into what Bill meantioned about changing the ip of the printer, one key item here is the damage, is limited to just a printer is a mistake is made.

thanks everyone, again It was along shot to see what anyone else was doing, sometimes our best practices change with who is directing us.
Steven Schweda
Honored Contributor

Re: control editing of hosts file

Various complex methods could be used, such
as providing a script which could make only
certain (limited) changes to "/etc/hosts",
rather than allowing actual editing of the
thing.

One could also allow no editing of a base
"hosts" file, and allow free editing of an
addendum "hosts" file, and provide a
(privileged) script which would combine the
two files to create an updated "/etc/hosts".
The script could do some basic checking, say
to look for plausible syntax or specific IP
addresses on the non-comment lines in the
user-edited addendum "hosts" file. (It's not
fool-proof, but it might limit fool-caused
damage.)

As usual, many things are possible.
Scott_14
Regular Advisor

Re: control editing of hosts file

Hello again:
I was able get the groups to utilize a sudo for editing the host file, as even my access is limited to this system.

In thinking this and re-reading some of your answers I decided to see if I can take this farther, but I am un-clear on something.

I was able to create a script that simply ask the person the que and Ip address that the que needs to point to, and using a sed s/ip/newip to change the ip of the que to where they need it.

My problem is how can I reverse it, as I may have a 2 same IPs in hosts to point to 1 printer, and now I want the one que back to another address as:
1.1.1.1 A
1.1.1.1 B this one I can do with sed.

however now I need B back to say 2.2.2.2 but I need to ensure I change the right one, and the only static if you will is B.
I tried a sed looking for the line with B and doing the c/ (to change the full line) but cant
seem to work it.

is there another way to ask the user for the IP of B and not effect A?