HPE Community
Operating System - HP-UX
1825163 Members
4226 Online
109679 Solutions
New Discussion юеВ

How to enable printing support w/o giving root priv

 
sap-basis1
New Member

тАО01-15-2007 06:59 AM

тАО01-15-2007 06:59 AM

How to enable printing support w/o giving root priv

Hi, all:

I need to create an HPUX ID for a colleague for her to do some support desk job such as cleaning printer queue and running cmds like "bdf" and "ps -ef".

Can anyone help me on decide how to implement this so that I don't need give root priv to her ID but she can do her job?

Thanks.
0 Kudos
Reply
8 REPLIES 8
DCE
Honored Contributor

тАО01-15-2007 07:11 AM

тАО01-15-2007 07:11 AM

Re: How to enable printing support w/o giving root priv


you can use sudo to give access for specific commands
http://gatekeep.cs.utah.edu/hppd/cgi-bin/search?package=on&description=on&term=sudo

Another way is o a restricted version of sam, just giving access to the printing area

issue the command sam -r as root to configure
0 Kudos
Reply
Naveej.K.A
Honored Contributor

тАО01-15-2007 09:07 AM

тАО01-15-2007 09:07 AM

Re: How to enable printing support w/o giving root priv

Hi,

Running commands like bdf and ps -ef doesn't require root privileges.

Sudo is the best way to give elevated privliges.

Regards,
Naveej
practice makes a man perfect!!!
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО01-15-2007 09:45 AM

тАО01-15-2007 09:45 AM

Re: How to enable printing support w/o giving root priv

From a security standpoint, as listed previously the commands you mentioned do not require root privs.

In lieue of implementing more software with potential security issues of it's own another option is restricted SAM. ( man sam )
0 Kudos
Reply
sap-basis1
New Member

тАО01-15-2007 09:50 AM

тАО01-15-2007 09:50 AM

Re: How to enable printing support w/o giving root priv

Hi,

Thanks for the answere. I tried the restricted SAM. It worked.

I also need the user to be able to edit the /etc/hosts file. Is there a way to do this w/o giving her root priv? I have not read much about sudo yet so can sudo do this?

Thanks a lot!
0 Kudos
Reply
sap-basis1
New Member

тАО01-15-2007 09:58 AM

тАО01-15-2007 09:58 AM

Re: How to enable printing support w/o giving root priv

Also, when I enabled "printers and plotters", several other priv were also enabled at the same time such as "disks and file systems" and "backup and recovery". If I disable one of them, all of them including "printers and plotters" will be disabled, too.

Do you know how to work this out?

Thanks.
0 Kudos
Reply
Naveej.K.A
Honored Contributor

тАО01-15-2007 10:03 AM

тАО01-15-2007 10:03 AM

Re: How to enable printing support w/o giving root priv

Hi,

You must give the user root access to edit the file, otherwise you have to modify the permissions for /etc/hosts which is not at all recommended from a security perspective.

However, sudo can be used to implement this.
/etc/sudoers is the sudo configuration file.

Regards,
Naveej
practice makes a man perfect!!!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-15-2007 10:33 AM

тАО01-15-2007 10:33 AM

Re: How to enable printing support w/o giving root priv

One alternative for a spooler administrator is to simply add a password to the lp user. Then your colleague would login as lp and have access to all the lp commands (root is not needed).

Restricted SAM can be customized so removing disk capability will not remove the printer features. SAM cannot give the user permission to edit the /etc/hosts file.

sudo is the best choice for random sysadmin tasks such as lp. It does not exist on new systems so you'll have to download and install it. Then spend a lot of time with the visudo command's man page along with the man page for sudoers. The temptation is to use the ALL shortcut, but don't do it. Simply enumerate the commands the the user is allowed to use -- including parameters as in: vi /etc/hosts

Get a copy of sudo from the Internet Express package at:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111


Bill Hassell, sysadmin
0 Kudos
Reply
charlie_bulosan
Frequent Advisor

тАО01-15-2007 10:24 PM

тАО01-15-2007 10:24 PM

Re: How to enable printing support w/o giving root priv

Hi,

If you are using hp-ux 11.23 you could use hp-ux RBAC (Role Based Access Control). This is developed by HP. You can create roles and assign capabilities (authorizations) to this role. Use cmdprivadm to make additional authorizations. Use authadm to assign authorizations to a role. Use roleadm to add roles, to assign roles to a user, and to list the authorizations on a role.

Another way is by using restricted SAM. What we did was we created a script and added this as customized application on SAM and then assign this to the ordinary user using restricted SAM.


Regards,
Charlie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.