HPE Community
Operating System - HP-UX
1837711 Members
5308 Online
110118 Solutions
New Discussion

Re: Limit access to glance

 
SOLVED
Go to solution
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 03:02 AM

‎11-13-2003 03:02 AM

Limit access to glance

We are trying to limit access to glance on our machines to a smaller group of users. I created a group named glance, added the relevant users to it, changed the group ownership to the glance group and removed other execute permission. Suggestions?
0 Kudos
Reply
11 REPLIES 11
Steven E. Protter
Exalted Contributor

‎11-13-2003 03:06 AM

‎11-13-2003 03:06 AM

Re: Limit access to glance

You have done what you need to do.

Removing other execute permissions will prevent users not in the same group as the glance owner form executing the program.

You're done. Time to test it. Never rely on untested changes.

If you get unexpected results, please post back the id command from the test user and the permissions on the glance executable.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 03:23 AM

‎11-13-2003 03:23 AM

Re: Limit access to glance

I thought so, however it doesn't appear to be working on our 10.20 servers.

ll /opt/perf/bin/glance /opt/perf/bin/gpm
-r-sr-xr-- 1 root glance 538073 Oct 6 2000 /opt/perf/bin/glance
-r-sr-xr-- 1 root glance 1490183 Oct 6 2000 /opt/perf/bin/gpm

id
uid=5001(oraoper) gid=101(oradba)

grep glance /etc/group
glance::107:oraoper

0 Kudos
Reply
doug mielke
Respected Contributor

‎11-13-2003 03:30 AM

‎11-13-2003 03:30 AM

Re: Limit access to glance

Does the s in perms list set user to owner?
0 Kudos
Reply
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 03:35 AM

‎11-13-2003 03:35 AM

Re: Limit access to glance

Sorry, I don't understand what you're asking. The suid bit is set if that's what you're asking...
0 Kudos
Reply
John Poff
Honored Contributor

‎11-13-2003 03:37 AM

‎11-13-2003 03:37 AM

Re: Limit access to glance

What error do you get when one of your glance users tries to run it on the 10.20 box?

JP
0 Kudos
Reply
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 03:51 AM

‎11-13-2003 03:51 AM

Re: Limit access to glance

#/opt/perf/bin/glance
ksh: /opt/perf/bin/glance: cannot execute
0 Kudos
Reply
John Poff
Honored Contributor

‎11-13-2003 03:56 AM

‎11-13-2003 03:56 AM

Solution

Re: Limit access to glance

Here is just a swag, but have you tried doing a 'newgrp glance' and then trying to run glance?

JP
Reply
doug mielke
Respected Contributor

‎11-13-2003 04:06 AM

‎11-13-2003 04:06 AM

Re: Limit access to glance

My thought was that the sgid bit would have to be set as well for group access, but Iwas going down the wrong track.
0 Kudos
Reply
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 04:16 AM

‎11-13-2003 04:16 AM

Re: Limit access to glance

We have a winner! If I run newgrp glance, then run glance, it works like a charm. It's a bit of a pain, but it's only on three boxes.

Thanks for your help!
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-13-2003 04:25 AM

‎11-13-2003 04:25 AM

Re: Limit access to glance

There is a even easier method that will not require running the newgrp command.

ln /etc/group /etc/logingroup

Now if a user is a member of multiple group, permissions will be checked automatically. Primary group membership is determined by the user's group id in the passwd entry.

If it ain't broke, I can fix that.
Reply
Kevin Nikiforuk
Valued Contributor

‎11-13-2003 05:36 AM

‎11-13-2003 05:36 AM

Re: Limit access to glance

Less work = even better! =) Thanks guys.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.