HPE Community
Operating System - HP-UX
1820658 Members
2472 Online
109626 Solutions
New Discussion юеВ

Re: Create a depot with non-root user

 
SOLVED
Go to solution
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-07-2009 10:09 PM

тАО06-07-2009 10:09 PM

Create a depot with non-root user

Hi,

I am creating a depot with non-root user.
Giving the "run_as_superuser=false" with swpackage command starts the process successfully.

I want the files to have the permissions of the user with which the swpackage command is being run but the files should get deployed as permissions of root. This is what is troubling me.

If the permissions are of the calling user, it gets deployed with the same permissions.
The "file_permissions -o bin -g bin -m 555" tag doesn't take only "owner" & "group", it requires "mode" as well. This gives the same permissions to all files.

How can i create the depot with a non-root user will file permissions on getting deployed as root (having calling user permissions in the package creation directory)?
Thanks
Vibhor Kumar Agarwal
0 Kudos
Reply
23 REPLIES 23
F Verschuren
Esteemed Contributor

тАО06-07-2009 11:20 PM

тАО06-07-2009 11:20 PM

Re: Create a depot with non-root user

If this is poseble there is a leak in the swinstall, to do this you can uses sudo to give the user (partitual) root acces to run the swinstall,

If a normal user is able to create a depot whit root files, and can install it the user can get root privilages (and if that works there is a security leak in swinstall....)

how to implement sudo Just reares for sudo ore sudoers on the forum...
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-08-2009 12:43 AM

тАО06-08-2009 12:43 AM

Re: Create a depot with non-root user

Talking about creation of packages and not installing.

User can create packages with a non-root user, but the installation requires him to be root.
Vibhor Kumar Agarwal
0 Kudos
Reply
Bob E Campbell
Honored Contributor

тАО06-08-2009 12:30 PM

тАО06-08-2009 12:30 PM

Re: Create a depot with non-root user

This is Unix... anything is possible!

Take a look at the swacl(1m) man page. It allows fine-grained control over SD-UX operations. The catch is well stated in that page:

Some operations allowed by ACLs are run as local superuser. Because files are loaded and scripts are run as superuser, granting a user write permission on a root filesystem or insert permission on a host effectively gives that user superuser privileges.


So you *can* allow users installation priviledges, but anyone that can install software should be considered to have full root access.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-08-2009 11:58 PM

тАО06-08-2009 11:58 PM

Re: Create a depot with non-root user

Probably you misunderstood my question.

I only want to create the depot with non-root user.

Please go through my first post, the problem is putting the right permissions in the depot files.
Vibhor Kumar Agarwal
0 Kudos
Reply
Bob E Campbell
Honored Contributor

тАО06-09-2009 02:48 PM

тАО06-09-2009 02:48 PM

Re: Create a depot with non-root user

If you look at the Examples section of the swacl(1M) man page you will see several items of interest. In particular:

To allow user allen to create, register, and manage all new depots and roots on the local system:

swacl -l host -M user:allen:a
swacl -l global_soc_template -M user:allen:a
swacl -l global_product_template -M user:allen:a

To allow user allen to fully manage my_depot, which already exists:

swacl -l depot -M user:allen:a @ /my_depot
swacl -l product_template -M user:allen:a @ /my_depot
swacl -l product -M user:allen:a \* @ /my_depot
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-10-2009 12:54 AM

тАО06-10-2009 12:54 AM

Re: Create a depot with non-root user

Went through swacl man page. Couldn't find the thing i am looking for.

Here is what i want:
Have a couple of files named a & b with permissions of user x. I want them to get deployed when root installs the depot as "root".
file_permissions attribute is not helping me because it can't take the owner & group argument alone, it require mode as well. My files have different modes and don't want to specify that tag for every file.
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-10-2009 06:57 AM

тАО06-10-2009 06:57 AM

Re: Create a depot with non-root user

>Have a couple of files named a & b with permissions of user x. I want them to get deployed when root installs the depot as "root".

You can leave out the -m mode and use the file specification for your few root files.
All other files should have the proper modes (and owners if possible) before you use swpackage.
0 Kudos
Reply
Bob E Campbell
Honored Contributor

тАО06-10-2009 08:08 AM

тАО06-10-2009 08:08 AM

Re: Create a depot with non-root user

Oh! This is a PSF question. That man page is swpackage(4) (use command "man 4 swpackage").

In the PSF you can specify attributes on a per file/directory basis. For example:

file -m 0555 -o bin -g bin /tmp /opt/swa

If you post your PSF (or an abstract) we could propose specific changes.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-10-2009 09:31 PM

тАО06-10-2009 09:31 PM

Re: Create a depot with non-root user

> You can leave out the -m mode and use the file specification for your few root files.

That's what exactly what i want and is not happening.

Sample psf file (of the fileset tag):
directory Test=/opt/Test
file *

Tried giving
file_permissions -o bin -g bin
but it gives an error & requires the "-m" tag as well, like below (but this disturbs my file permissions)
file_permissions -o bin -g bin -m 555

If i can somehow give "file_permissions -o bin -g bin", my problem is solved.
Options ?
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-10-2009 11:03 PM

тАО06-10-2009 11:03 PM

Re: Create a depot with non-root user

>Tried giving file_permissions -o bin -g bin
but it gives an error & requires the "-m" tag as well

I don't have any problems leaving out -m on 11.11, 11.23 or 11.31. You can also use "-u 222" as the documentation suggests.

>If I can somehow give "file_permissions -o bin -g bin", my problem is solved.

I have no problems doing that. What error do you get?
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-11-2009 01:13 AM

тАО06-11-2009 01:13 AM

Re: Create a depot with non-root user

Here is snippet of psf:

fileset
directory Test=/opt/Test
file_permissions -o root -g sys
file *

Error:
WARNING: Invalid value defined for the keyword "file_permissions", at
line 23. Valid values for this keyword are:

[-m mode|-u umask ] [-o [owner[,]][uid]] [-g [group[,]][gid]]

where each component of the value defines a default permission
for files in the fileset.


If I add the "-m" tag in the file_permissions, it creates without any error.
My system is HPIA 11.31

Putting the "-u" tag also will disturb the base permissions of my file
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-11-2009 04:36 AM

тАО06-11-2009 04:36 AM

Solution

Re: Create a depot with non-root user

>My system is HPIA 11.31

Do you have any SD patches? I don't get that error. I'll check mine.

>[-m mode|-u umask ] [-o [owner[,]][uid]] [-g [group[,]][gid]]

As I mentioned above, simply use "-u 222" instead of -m.
Reply
Dennis Handly
Acclaimed Contributor

тАО06-11-2009 09:47 PM

тАО06-11-2009 09:47 PM

Re: Create a depot with non-root user

My version is: SW-DIST B.11.31.0803.317
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-12-2009 01:11 AM

тАО06-12-2009 01:11 AM

Re: Create a depot with non-root user

Give me a couple of days.
I'll get back on Monday.
Vibhor Kumar Agarwal
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-15-2009 04:32 AM

тАО06-15-2009 04:32 AM

Re: Create a depot with non-root user

Thanks

Putting "-u 000" solved my purpose.
Giving "-u 222" was subtracting the permissions.
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-15-2009 07:48 AM

тАО06-15-2009 07:48 AM

Re: Create a depot with non-root user

>Giving "-u 222" was subtracting the permissions.

Yes. You wanted files with write permission?
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-15-2009 10:01 PM

тАО06-15-2009 10:01 PM

Re: Create a depot with non-root user

I want the permissions as it is as they are present in the directory from which I am building the package.
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-15-2009 10:25 PM

тАО06-15-2009 10:25 PM

Re: Create a depot with non-root user

>I want the permissions as it is as they are present in the directory

I was questioning why you would ever deliver a file that was writable?
These files, unless marked volatile and are in /etc or /var, should be treated as read only. And you may have swverify issues, if changed.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-15-2009 10:34 PM

тАО06-15-2009 10:34 PM

Re: Create a depot with non-root user

A couple of files are script files which have to be run after the package has installed.
These scripts start the services.

Is there any other option rather than sending them as writable?

Could you give me some information about the volatile files, i am unaware of this.
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-15-2009 10:46 PM

тАО06-15-2009 10:46 PM

Re: Create a depot with non-root user

>A couple of files are script files which have to be run after the package has installed.

Scripts have to be executable, not writable. And if they have to be run after, they should be configure control scripts.

>Is there any other option rather than sending them as writable?

Sending what as writable?

>Could you give me some information about the volatile files

You add -v to file attribute describing the file.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-15-2009 10:59 PM

тАО06-15-2009 10:59 PM

Re: Create a depot with non-root user

Ooops,

I meant executable.
There are some files which have only read permission to root (r--,---,---) and many variants.

In such a case i will have to give different "-u" for each group of files.
Hence, i choose the "-u 000" option.

Is there any drawback in it?
Vibhor Kumar Agarwal
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО06-15-2009 11:21 PM

тАО06-15-2009 11:21 PM

Re: Create a depot with non-root user

>There are some files which have only read permission to root (r--,---,---) and many variants.
>In such a case I will have to give different "-u" for each group of files. Hence, I choose the "-u 000" option.

No need to use -u 000, you can use -u 222 to make sure all files are read only. It only removes any "w" permissions.
0 Kudos
Reply
Vibhor Kumar Agarwal
Esteemed Contributor

тАО06-15-2009 11:44 PM

тАО06-15-2009 11:44 PM

Re: Create a depot with non-root user

Gotcha :-)

Thanks
Vibhor Kumar Agarwal
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.