HPE Community
Operating System - HP-UX
1830143 Members
25303 Online
109999 Solutions
New Discussion

ignite-root

 
SOLVED
Go to solution
Emilio Brusa
Frequent Advisor

‎05-12-2004 10:23 AM

‎05-12-2004 10:23 AM

ignite-root

Hi,
I have this problem...
I need to run manually the make_recovery -Avi or make_tape_recovey -x...but I need him to run him an operator that should not have privileges of ROOT
How can create a user that can run make_tape_recovey without priviliges of ROOT, only creating the tape of Ignite.
Also them...if they can lean on with the best´s practices for the creation of Ignites
Thanks everybody.

0 Kudos
Reply
11 REPLIES 11
Sundar_7
Honored Contributor

‎05-12-2004 10:41 AM

‎05-12-2004 10:41 AM

Re: ignite-root

It looks like make_recovery inturn checks the real UID of the user. So SUID will not work in this case.

You can install sudo and allow the user to run only make_recovery
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Sundar_7
Honored Contributor

‎05-12-2004 10:50 AM

‎05-12-2004 10:50 AM

Re: ignite-root

Best practice is to include everything in vg00. use the -ACvi option with make_recovery and -x inc_entire=vg00 when make_tape_recovery is used.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-12-2004 10:55 AM

‎05-12-2004 10:55 AM

Re: ignite-root

Create a script something like this:

# cat create_ignite_tape
#!/usr/bin/sh

# Replace the 0mn with your no-rewind tape drive
TAPE=/dev/rmt/0mn

# Rewind tape
mt -f ${TAPE} rew

# Run make_tape_recovery
/opt/ignite/bin/make_tape_recovery -a ${TAPE} -I -v -x inc_entire=vg00

# Eject the tape when done
mt -f ${TAPE} offl

# END OF SCRIP

Now you have a couple of options:

1) Install sudo as said above and set up the user so that he/she can run the create_ignite_tape script. --- I would prefer this method

2) Set the create_ignite_tape script so that it is owned by root and is a SUID script.

# chmod 4555 create_ignite_tape
# ll create_ignite_tape
-r-sr-xr-x root sys .... create_ignite_tape

I wouldn't necessarily recommend this as it could be a security hole (I don't like unnecessary SUID scripts lying around). I am not even 100% sure it will work, but it might.

0 Kudos
Reply
Sundar_7
Honored Contributor

‎05-12-2004 11:08 AM

‎05-12-2004 11:08 AM

Re: ignite-root

Patrick, I tried the script before posting my FIRST reply. Apparently make_recovery has a real UID check builtin.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Sundar_7
Honored Contributor

‎05-12-2004 11:12 AM

‎05-12-2004 11:12 AM

Solution

Re: ignite-root


$ ls -lrt /root/m.sh
-r-sr-xr-x 1 root sys 68 May 12 16:09 /root/m.sh
$

$ more /root/m.sh
#! /usr/bin/sh
/opt/ignite/bin/make_recovery -ACvi -d /dev/rmt/0mn
$

$ /root/m.sh
make_recovery(201): Must have root capability to use make_recovery
$
Learn What to do ,How to do and more importantly When to do ?
Reply
Emilio Brusa
Frequent Advisor

‎05-13-2004 09:39 AM

‎05-13-2004 09:39 AM

Re: ignite-root

Sundar and Patrick thanks,

Where can i find SUDO...is software of hp??

E.
0 Kudos
Reply
Francesco Campalastri
Frequent Advisor

‎05-13-2004 10:08 AM

‎05-13-2004 10:08 AM

Re: ignite-root

HP-UX 11.11 (11i) include a yellow label CD named Internet Express for HP-UX with sudo. Sudo is not released by HP, it is public domain.

See also on the web

http://hpux.cs.utah.edu/
sudo-1.6..7p5 (15 Oct 2003)

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111



Ciao

0 Kudos
Reply
Sundar_7
Honored Contributor

‎05-13-2004 11:41 AM

‎05-13-2004 11:41 AM

Re: ignite-root

You can download from this link

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

Once installed, add an entry in the /etc/sudoers file

ALL=/opt/ignite/bin/make_recovery

Now the operator can use sudo to create recovery tape.

operator> sudo /opt/ignite/bin/make_recovery -ACvi -d /dev/rmt/0mn
Password:

Operator will be prompted for password. The password to be entered is the OPERATOR's password and NOT the root's password.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-13-2004 02:45 PM

‎05-13-2004 02:45 PM

Re: ignite-root

In my experiences with Ignite restores I have had weird and unusual problems occur after a restore of an Ignite backup that was performed in multi-user mode. As general practice from now on I always shut down to single-user mode in order to ensure minimal files are open or in use and my backup is cleaner and finishes faster, too.

You may want to rethink your backup strategy. If you're trusting someone to do your system backups but you're not going to give him/her the root password in order to run the backup, it makes me kind of wonder ...
Together We Stand!
0 Kudos
Reply
Emilio Brusa
Frequent Advisor

‎05-14-2004 02:08 AM

‎05-14-2004 02:08 AM

Re: ignite-root

But,
whenever to make a restore of a tape made with I Sudo, is the process the same one that when the tape make with root?
Or are any considireations for that ?

Thanks everybody

E.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎05-14-2004 02:12 AM

‎05-14-2004 02:12 AM

Re: ignite-root

Emilio,

There should be no difference in the restore process whether the tape was made by an actual root or a "sudo'd" root.


Pete

Pete
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.