HPE Community
Operating System - HP-UX
1834086 Members
2456 Online
110063 Solutions
New Discussion

Delegate start/stop services to regular user

 
SOLVED
Go to solution
Jorge Fabregas
Regular Advisor

‎10-08-2003 10:48 AM

‎10-08-2003 10:48 AM

Delegate start/stop services to regular user

Hello everyone,

We're running Oracle 9iAS on two nodes (application server and database server). I would like to let a regular user start/stop services on the application server.

To do this, the user must be oracle and group dba. I did my homework and I tried to accomplish this via SUID but unfortunately that didn't work. First of all, let me tell you that SUID works for scripts (many people think that it only works for binary executables). The problem I had was that everytime the script runs: the UID and GID remains as that of the regular user (and not oracle:dba). I placed the "id" command on the script and then executed the script as "jose". The output of the id command was:

uid=107(jose) gid=20(users) euid=103(oracle) egid=103(dba)


And then when it was the section to run the oracle commands (dcmctl in this case) I had a bunch of erros. Somehow, these oracle programs (dcm etc...) will look for UID and GID (besides EUID AND EGID).

I even created a c program that calls the script (and the I used SUID and GUID for this program) but I had the same results.

So, my question is...is there a way a regular user can run a script as another user (even with UID and GID as that of the other user) ..not just EUID and EGID?

Can SUDO accomplish this?

Thanks,
Jorge



0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

‎10-08-2003 11:00 AM

‎10-08-2003 11:00 AM

Solution

Re: Delegate start/stop services to regular user

Sudo is designed to allow non-root users to run commands/programs/scripts as root.

What you could do is write a script that does something like:

#/usr/bin/sh
su - oracle -c "run_the_start_script"

Set the permissions on the above script so it is just executable by root. Then set up sudo so that the user can then run that script, which will then su to oracle and run your startup script.
Reply
Jorge Fabregas
Regular Advisor

‎10-08-2003 11:13 AM

‎10-08-2003 11:13 AM

Re: Delegate start/stop services to regular user

Ahhhhhhh Thanks Patrick! That's the kind of solution I was looking for!

I thought about these 2 possible work-arounds:

1> use sudo...but then I thought exactlhy what you mention: sudo is for regular-users to run programs as root (not my case..since I want user to user interaction) .... option 1 discarded


2> create a script using the su line you mention..but then I thought: this user won't be root so the "su" command is going to prompt for a password...then I thought about the "expect" command...and also thought about not liking to hard-code the oracle password in the script..so....option 2 discarded


and now you came with the best of both worlds! THANKS AGAIN!
0 Kudos
Reply
Keith Bevan_1
Trusted Contributor

‎10-09-2003 12:29 AM

‎10-09-2003 12:29 AM

Re: Delegate start/stop services to regular user

Jorge,

Sudo is probably your best option as Patrick has already suggested.

Sudo represents only one solution and even though it is free there is another more friendly product call UPM (Unix Privilege Manager) which is distributed by PASSGO (aka Symantec offshoot).

Have a look at the product information just for a comparison :-

http://www.passgo.com/products/upm/index.htm

Hope this helps.

Keith
You are either part of the solution or part of the problem
Reply
Bill Hassell
Honored Contributor

‎10-09-2003 01:19 AM

‎10-09-2003 01:19 AM

Re: Delegate start/stop services to regular user

Using SUID on scripts is usually the hackers first method to crack your system. Thus, it is not easy (and certainly not desirable) to have any SUID scripts at all. Indeed, one of your first tasks to would be to remove SUID capability from mountpoints that have user access or will never need executables. Examples of nosuid would be:

/tmp /var /home
and of course, all Oracle mountpoints for data, index, logs, etc.

sudo is the preferred choice because it logs all activities and you control exactly what each user can do (to the point of specific programs and evemn restricted parameters).


Bill Hassell, sysadmin
Reply
Sanjay_6
Honored Contributor

‎10-09-2003 01:30 AM

‎10-09-2003 01:30 AM

Re: Delegate start/stop services to regular user

Hi Jorge,

I've user a licensed software called powerbroker which is quite good. You can download a evauluation copy from their website.

http://www.symark.com

Hope this helps.

Regds
Sanjay
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.