Creating login account for user to run an application

Shivkumar · ‎01-30-2006

Dear Sirs,

We are planning to install SiteMinder software product on hpux. It needs an user called "siteminder" to install and run the siteminder application process. The siteminder product would be installed in the directory /opt/rose/. I am thinking to create the user with home directory where the logs (/opt/rose/logs/) are being stored for this product. I believe that in case of core dump the siteminder user and process will core dump in /opt/rose/logs/ directory in this case ( am i right ??). I am thinking to specify the user's home directory as /opt/rose/logs/ to avoid disk space issue in normal user's home (home/user) directory caused due to core dump.

Any thoughts are appreciable.

Thanks,
Shiv

Sundar_7 · ‎01-30-2006

Sirs ???? are you kidding ? :-) - Core dumps are not created in the user's home directory, but in the directory where the binary resides. So, if your binary is in /opt/rose/bin , then expect the core dumps in /opt/rose/bin.

Learn What to do ,How to do and more importantly When to do ?

Chan 007 · ‎01-30-2006

Shiv,
I am siteminder 5.x.

I created an user called smuser.

My usggestion is don't use /opt.

Instead create a log directory in /var/smuser/logs.

/opt/smuser is the place where your application would go. Set an parameter for all your logs to go into /var/smuser/logs.

As var is not a static direcroty.

Don't worry core dumps will always occur from the place you are executing the application.

e.g if /opt/smuser/*.exe, they dump will be /opt/smuser/coredump

also to note that coredump is not a day to day event. Once your application is up and running after all testing ...then you may not get a core dump...

Hope this helps

Chan

Steven E. Protter · ‎01-30-2006

Shalom Shiv,

Core dumps happen where the binary is run from.

I believe the siteminder documentation should have specific instructions on what the user that owns the binaries should look like.

If its not specified, a standard user with a standard home directory should suffice. The users .profile file may require modification.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Shivkumar · ‎01-30-2006

Should this user "siteminder" belongs to primary group "other" or "root" ?

Chan 007 · ‎01-30-2006

Shiv,

We have u"user" group, as it has its home /opt/smuser it can do execute its sm related commands.

Chan

Shivkumar · ‎01-30-2006

Sundar, The user siteminder will run the binary executable so i just wanted to cross check whther it will core dump in process home directory or from the binary's home directory.

Deoncia Grayson_1 · ‎01-30-2006

Unless there is some real compelling reason why this user should belong to the root (and I can't think of any) then this user should not be assigned to this group, but a normal "user" group should be sufficient.

If no one ever took risks, Michelangelo would have painted the Sistine floor. -Neil Simon

Shivkumar · ‎01-30-2006

Chan, You mean i need to specify group as "users".. right ??

Chan 007 · ‎01-30-2006

Shiv,

The coredump will occur from where you execute the command.

e.g your path is set to
$PATH:/opt/smuser:

e.g.
# pwd
# /home/shiv

then type any sm command

smxxxx

systems come with
#coredump

# ls -lrt
you will find "coredump" in /home/shiv

Hope that helps
Chan

Chan 007 · ‎01-30-2006

Shiv,

yes, that's how I configred my SM here.

and it works fine.

If you have any doubt check the SM Inst Documentstion, in which you will not get any information about groups....ha..ha...ha..:-)

Chan

Shivkumar · ‎01-30-2006

Chan, We will be installing SM6.0 on hpux. Should i create "smuser" or "siteminder" user ? what is your recommendation ?

Arunvijai_4 · ‎01-30-2006

Hi Shiv,

"smuser" is fine for Siteminder6.0

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Yogeeraj_1 · ‎01-30-2006

hi shiv,

I believe you should use a user that are acceptable to the application and not one which you discuss here in the forums -- security issues..

you never know..

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Chan 007 · ‎01-30-2006

Shiv,

I totally agree with Yogee's say, we have standars to use "app" 2/3 charc and user for that user as Standards, viz,

SiteMinder - smuser
Oracle SID - orasid
SUN / HP (Engineers)- sunengg/hpengg.

You follow your standards.

smuser is totally fine...!!!

Best of luck with SiteMinder..!!

Chan

Shivkumar · ‎01-31-2006

Respected Sirs,

We are using hp apache which starts as root user and switches to run as "www" user.

we have the entries on 2 different servers in passwd file as below:

www:*:30:1::/:
www:*:30:1::/:/bin/false

which is more appropriate to use ?

Is it a good practice to run apache process as www user with no shell ?

Regards,
Shiv

Victor BERRIDGE · ‎01-31-2006

Hi Shiv,

My 2 cent:
www:*:30:1::/: # This to me looks very HP
www:*:30:1::/:/bin/false #This doesnt (SUN?)because HP has most of its command in /usr/bin (the same goes for /bin/ksh etc...

Now what implications does this have to put /usr/bin/false as a shell?
It will only be of some use to Not allow such user to connect itself on you box not matter how (rlogin telnet and especially ftp...) - But for this, it has to be a valid shell and so documented in /etc/shells

So which is best?
Dont know choosing between a command that returns 0 or 1 and no shell...
Im sure more specialized Gurus could give us their point of vue or insight..( much appreciated )

All the best
Victor

Arunvijai_4 · ‎01-31-2006

Hi Shiv,

For apache : In Linux, it is

apache:x:48:48:Apache:/var/www:/sbin/nologin

For SSH in 11.23, it is

sshd:*:102:102:sshd privsep:/var/empty:/bin/false

It is better to use /bin/false for Siteminder too,

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Shivkumar · ‎01-31-2006

my question is a process running without shell good or bad ?

Shivkumar · ‎01-31-2006

Chan, Do you use Oracle or LDAP directory server with your siteminder ?

Chan 007 · ‎01-31-2006

Shiv,

/bin/false is better, if you want more security that "www" should not be logged in at all.

Chan

Shivkumar · ‎01-31-2006

My hunch was if a process launched without shell; will it be able to run comfortably. Because unix applications runs in shell .. right ??

Chan 007 · ‎01-31-2006

shiv,

even if "www" user is going to run a batch, use require the shell setup.

else no need.

in Gen the following users will have false

nobody:x:60001:60001:uid no body:/:/bin/false
noaccess:x:60002:60002:uid no access:/:/bin/false
bin:x:2:2:0000-Admin(0000):/usr/bin:/bin/false
sys:x:3:3:0000-Admin(0000):/:/bin/false
adm:x:4:4:0000-Admin(0000):/var/adm:/bin/false

rest all will have a shell

FY Ref: http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A6

Chan

Steven E. Protter · ‎01-31-2006

Shiv,

It's test time.

I agree that there are security implications to posting too much information to ITRC if the server is to run on the public Internet.

I suggest you test the server without a shell and see how it functions. Run it, watch the logs, see if it works right.

There comes a time in every thread to test things out.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Shivkumar · ‎01-31-2006

HP Forum Moderator,

Please remove threads for this post.

Thanks,
Shiv

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Creating login account for user to run an application

Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application

Re: Creating login account for user to run an application