HPE Community
Operating System - HP-UX
1832687 Members
2645 Online
110043 Solutions
New Discussion

DBA's allowed to run sudo commands

 
SOLVED
Go to solution
Laurie A. Krumrey
Regular Advisor

‎11-14-2001 11:50 AM

‎11-14-2001 11:50 AM

DBA's allowed to run sudo commands

Why is it every time I hit the enter key this thing posts? Is it me or the List server? Anyway, my dba's want to be able to see all the kernel settings "kmtune -S /stand/system" and I was thinking of giving them sudo for this. Does anyone see any security problems with this?

Laurie
Happiness is a choice
0 Kudos
Reply
10 REPLIES 10
Craig Rants
Honored Contributor

‎11-14-2001 11:53 AM

‎11-14-2001 11:53 AM

Solution

Re: DBA's allowed to run sudo commands

Laurie,

I don't see a security problem per say, but if you give them kmtune you are exposing your kernel. I would say it depends on the dba but my response to a dba would be no. Sometimes it is better to just provide them information instead of letting them do the work.

Just my opinion,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Sanjay_6
Honored Contributor

‎11-14-2001 11:53 AM

‎11-14-2001 11:53 AM

Re: DBA's allowed to run sudo commands

Hi Laurie,

kmtune can be used to configure / set the kernel parameter. "kmtune -s", note s is in small character. I won't advise your DBA to be allowed using kmtune. If they want a list of kernel parameter, take a printout of kernel parameter using "kmtune -S /stand/system" and give them a printout. This is what we do at our site.

Hope this helps.

Regds
Reply
harry d brown jr
Honored Contributor

‎11-14-2001 11:54 AM

‎11-14-2001 11:54 AM

Re: DBA's allowed to run sudo commands

Are you saying you can't trust your DBA's?

All kidding aside, just set up a script to do it. then chown root script.sh, then chmod 4555 srcipt.sh.


live free or die
harry
Live Free or Die
Reply
Darrell Allen
Honored Contributor

‎11-14-2001 11:54 AM

‎11-14-2001 11:54 AM

Re: DBA's allowed to run sudo commands

Hi Laurie,

Since kmtune can also be used to set kernel parameters, don't give unrestricted access to it. Use sudo on a script that does exactly what you want to allow and you should be fine.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
James R. Ferguson
Acclaimed Contributor

‎11-14-2001 11:56 AM

‎11-14-2001 11:56 AM

Re: DBA's allowed to run sudo commands

Hi Laurie:

Let me ask this: How often is this information going to change? Why not generate the data for them and just hand it (or web-post it) for their use?

Regards!

...JRF...
Reply
Tim Nelson
Honored Contributor

‎11-15-2001 07:43 AM

‎11-15-2001 07:43 AM

Re: DBA's allowed to run sudo commands

Did I miss something here ? Any normal user can execute /usr/sbin/kmtune. If you attempt to set a parameter as a normal user you get an error.
Sometimes it is not neccessary to make life harder than it is :-)>
Reply
Sanjay_6
Honored Contributor

‎11-15-2001 08:03 AM

‎11-15-2001 08:03 AM

Re: DBA's allowed to run sudo commands

Hi Laurie,

I saw Tim's post and just checked my system. The kmtune command is listed in /usr/sbin. My users don't have this path specified by default in their profile. However then can use /usr/sbin/kmtune -S /stand/system to get the list of kernel parameters.

If they try to change the parameter using /usr/sbin/kmtune -s par_name(+/-)some_value -S /stand/system they get an error message saying "kmtune: Directory permission denied to write file -- /stand".

So i guess, your DBA's can use kmtune to get the kernel parameters.

Thanks Tim for pointing out the errors we all made in not checking the same yesterday.

Regd
Reply
Craig Rants
Honored Contributor

‎11-15-2001 08:04 AM

‎11-15-2001 08:04 AM

Re: DBA's allowed to run sudo commands

Tim,
If you give the dba kmtune through sudo, you have given them the ability to make the changes discussed. The issue was really sudo and not kmtune per say...

At least that was my take.
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Darrell Allen
Honored Contributor

‎11-15-2001 08:16 AM

‎11-15-2001 08:16 AM

Re: DBA's allowed to run sudo commands

Hi all,

When I try is as a normal user I get:
kmtune: Cannot write file -- /stand/.kmsystune_lock

/stand has 555 perms on my systems and should stay that way so that normal users can't write to it.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
Aaron Johnson_3
New Member

‎07-24-2006 07:35 AM

‎07-24-2006 07:35 AM

Re: DBA's allowed to run sudo commands

FYI - It appears that 11.11 will allow a regular user to run kmtune, but 11.00 will give the error message:

kmtune: Cannot write file -- /stand/.kmsystune_lock
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.