HPE Community
Operating System - HP-UX
1847015 Members
4195 Online
110258 Solutions
New Discussion

Re: LVM command

 
SOLVED
Go to solution
YLTan
Frequent Advisor

‎04-22-2003 06:27 PM

‎04-22-2003 06:27 PM

LVM command


I notice that all the lv's , pv's , vg's command such lvlnboot, pvdisplay, vgchange, etc. have its uid and gid set to 4000 and 2000.

This means a non-root users can also executed those commands on lv, pv and vg.

Does this pose a considerable problems in configuration to the system when some non-users just execute it without knowing its impact?

Can I reset those uid and gid for these commands? Will it have any impact on its execution?
tyl
0 Kudos
Reply
10 REPLIES 10
Patrick Wallek
Honored Contributor

‎04-22-2003 06:37 PM

‎04-22-2003 06:37 PM

Re: LVM command

Here are the permissions for all of my lv*, pv* and vg* commands. They are all owned by root with the group sys. If yours are different they are definitely NOT RIGHT.

My next step would be to figure out why they are different.

Good luck.

root@hquas06:/usr/sbin->ll lv* pv* vg*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvextend*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvlnboot*
-r-xr--r-- 1 bin bin 143360 Nov 6 1997 lvmmigrate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvreduce*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 lvrmboot*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvck*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvmove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 pvremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcfgbackup*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcfgrestore*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgchange*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgchgid*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgcreate*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgdisplay*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgexport*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgextend*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgimport*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgreduce*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgremove*
-r-sr-xr-x 26 root sys 540672 Jun 24 2002 vgscan*
root@hquas06:/usr/sbin->
0 Kudos
Reply
John Poff
Honored Contributor

‎04-22-2003 06:40 PM

‎04-22-2003 06:40 PM

Re: LVM command

Hi,

I'm pretty sure that you have to be root to execute those commands. The commands are probably coded so that they check your UID when you run them and they make sure you are root.

When you say the UID and GID are set to 4000 and 2000, do you mean the ownership of those command file executables? My guess is that they should probably be root:sys or bin:bin or something along those lines.

JP
0 Kudos
Reply
Michael Tully
Honored Contributor

‎04-22-2003 06:47 PM

‎04-22-2003 06:47 PM

Re: LVM command

You should never allow access to commands like lvlnboot, vgchange and pvcreate. They could terrible damage. The dislay programs are okay to use. The onwership are root:sys
Anyone for a Mutiny ?
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-22-2003 06:49 PM

‎04-22-2003 06:49 PM

Re: LVM command

I just tried an experiment and logged in as a normal user (not root) and I could run /usr/sbin/lvdisplay and /usr/sbin/vgdisplay. I didn't try any of the others but they MAY work as well.

Now one thing I did have to do is specify the FULL PATH to the commands since /usr/sbin is not normally in a normal users path and it should really never be.

I don't know if it would hurt to take execute permission off of world for those commands or not. If you are really paranoid about security it may be something to test out and see how it works.
Reply
Michael Tully
Honored Contributor

‎04-22-2003 06:51 PM

‎04-22-2003 06:51 PM

Re: LVM command

In addition, some of these commands have their own in built protection:

e.g.
$ lvlnboot -v
Must be root to use this command.

If users must have this type of access, install 'sudo'
You can get it from here:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Anyone for a Mutiny ?
Reply
S.K. Chan
Honored Contributor

‎04-22-2003 07:43 PM

‎04-22-2003 07:43 PM

Re: LVM command

With the the same permission and ownership of all the vg*,lv* & pv* commands (like shown by Patrick) in /usr/sbin I can only run these ..
- vgdisplay
- lvdisplay
- pvdisplay
.. as normal user. The rest of the commands can only be run as root. So you can actually leave the permissions and ownerships unchanged.
Reply
James R. Ferguson
Acclaimed Contributor

‎04-23-2003 04:03 AM

‎04-23-2003 04:03 AM

Re: LVM command

Hi:

If you examine the output of Patrick's 'ls' command you will immediately note that the LVM binaries listed have multiple links (in fact, 26 in his listing). If you would further examine these binaries you can find that *all* of them are actually the *same* binary file. They are all hard-links to a single piece of code. Hence, any change in permissions or ownership to one link is reflected in every link.

An easy way to show their commonality is to do:

# ls -il /usr/sbin/lvchange

...note the inode number (e.g. 15042 on one of my systems). Then look for all files matching this inode:

# ls -il /usr/sbin|grep 15042

...you will thus expose all of the common binaries in Patrick's post.

Regards!

...JRF...
0 Kudos
Reply
John Poff
Honored Contributor

‎04-23-2003 06:13 AM

‎04-23-2003 06:13 AM

Solution

Re: LVM command

Hi,

I tried some of the commands on a test system here this morning as a non-root user. I can do the display commands [vgdisplay, lvdisplay, etc.] but when I tried to do an lvextend it complained, "Must be root to use this command".

It looks like the binaries do check to make sure you are root before you do something dangerous.

JP
Reply
YLTan
Frequent Advisor

‎04-27-2003 01:53 AM

‎04-27-2003 01:53 AM

Re: LVM command

Hi All,

Thanks for all the help.

Why did HP put uid and gid in those commands as defaults installation? It is misleading.
tyl
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎04-27-2003 03:55 AM

‎04-27-2003 03:55 AM

Re: LVM command

Hi,

Take a look at this doc, it explains the why and what.

Docid: A4318288D
Mechanism used to prevent regular user from running LVM commands

Europe and Asia
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062938676

US
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062938676

Hope it helps,

Robert-Jan.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.