HPE Community
Operating System - HP-UX
1834571 Members
3165 Online
110069 Solutions
New Discussion

Re: New user setup with access to print admin

 
SOLVED
Go to solution
ITeam
Super Advisor

‎01-09-2003 03:26 AM

‎01-09-2003 03:26 AM

New user setup with access to print admin

Hi everybody,
I have set up a new user on HPUX11.11 and changed the uid ( and even the gid ) to match those of root. Root can cancel a print job but the alternative user cannot, i get a message stating that i am not the owner however the new user can disable and enable print queues.
There is nothing in the .profile for the new user ( i even copied the .profile from root but this still did not work).
I would be grateful for any advise / suggestions.
Thanks in advance.
Regards
Shaun
0 Kudos
Reply
11 REPLIES 11
Rajeev Shukla
Honored Contributor

‎01-09-2003 03:30 AM

‎01-09-2003 03:30 AM

Re: New user setup with access to print admin

Just check that you have right permission for the lp files i.e
r-sr-xr-x 1 root bin 40960 Nov 9 20:08 lp
-r-sr-xr-x 1 root bin 36864 Nov 9 20:08 lpalt
-r-sr-xr-x 1 lp bin 45056 Nov 9 20:08 lpstat

Cheers
Rajeev
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎01-09-2003 03:36 AM

‎01-09-2003 03:36 AM

Re: New user setup with access to print admin

Hi,

When you configure any user with a same user ID of root you are creating a high recurity risk. I recomend you explore install "sudo" software to allow to lower do some admin tasks.

Take a look in:
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Rgds,
0 Kudos
Reply
Armin Feller
Honored Contributor

‎01-09-2003 04:05 AM

‎01-09-2003 04:05 AM

Re: New user setup with access to print admin

Hi,

you can also distribute root permissions to a user by SAM. Run 'sam -R' (restriced SAM)and allow a special user to go to PLOTTER&PRINTER in SAM.

(man sam)

Regards,
Armin
0 Kudos
Reply
ITeam
Super Advisor

‎01-09-2003 06:20 AM

‎01-09-2003 06:20 AM

Re: New user setup with access to print admin

Hi
Thanks for the replies Jose & Armin. I have checked the permissions and they are the same as those that you have in your example...

Regards
Shaun
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎01-09-2003 06:55 AM

‎01-09-2003 06:55 AM

Re: New user setup with access to print admin

restricted SAM is on option. At my company we have a very large tier 1 and tier2 support team that we give any tedious tasks to from user creation & password resets... to printer creation. We use a free HP tool called ServiecControl Manager (SCM for short)
It can be found at:
http://www.software.hp.com
product number B8337BA
SCM is a graphical based tool that allows you to give users the ability to run tools or commands with root permissions - WITHOUT compromising system security. You don't need to give them any special UID or GID and you don't have to give them the root password. I've been running SCM for almost a year now and it's bennifits are amazing.
All paths lead to destiny
0 Kudos
Reply
ITeam
Super Advisor

‎01-10-2003 06:00 AM

‎01-10-2003 06:00 AM

Re: New user setup with access to print admin

The problem we have is that the user logs in to an admin menu to control users, passwords, print queues etc. They are unable to get to a shell prompt for security reasons. The uid and the gid are the same as root. As this special admin user, its possible to create users, stop the scheduler, start the scheduler, send prints to a print queue, but the admin user cannot cancel print jobs (even its own print jobs). Error message given is "not owner". Root works fine for canceling any print jobs.

Again, thanks in advance.
Regards
Shaun
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎01-10-2003 07:34 AM

‎01-10-2003 07:34 AM

Re: New user setup with access to print admin

with SCM the user would never need to log in and get a console to use SCM. There is a web client that the user would conntect to and SCM would run via a java applet. They would be able to run a tool as any ID set by the admin. Even If you decide not to try this (becuase it's not a quick fix and takes a little while to setup) I still recommend you try this product.
All paths lead to destiny
0 Kudos
Reply
ITeam
Super Advisor

‎01-17-2003 08:23 AM

‎01-17-2003 08:23 AM

Re: New user setup with access to print admin

John,
Whilst your solution with SCM is very much relevent in other circumstances (and we would use it as and when we require it), in this situation it is not relevent, due to the connections that our customer uses to the server.
The customer has no chose but to use software with a standard telnet session connection to the server.
We have a number of customers that use this administration menu to control print jobs etc. with no problems, yet this one customer has this problem with canceling print jobs from the administration menu, including that users own print jobs.

Please can someone help.
Regards
Shaun.
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎01-17-2003 10:42 AM

‎01-17-2003 10:42 AM

Re: New user setup with access to print admin

Hi,

As me had commented you, the "sudo" software will offer you the possibility that non-root users (different UID) have privileges to do specific tasks and that originally they are reserved for the "root" user. With this you can allow prompt access without concerns.

Rgds.
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎01-17-2003 11:15 AM

‎01-17-2003 11:15 AM

Solution

Re: New user setup with access to print admin

If the UID and GID are the same as roots, then this user is root. It must have something to do with something getting changed when they log in or go into the menuing system? Are your other users using 11.11?
I did note that the man page says "Remove all requests the user owns on each printer. The owner is determined by the user's login name and the host name of the machine where the lp command was invoked." Now, I would think that if you have UID 0, you should be able to cancel anything, but perhaps it is really looking at the "login NAME". I doubt this.
Once you get this problem fixed you might want to consider moving to restricted SAM, SCM (which you can do using telnet), sudo, or a 3rd party solution. The method you are using is insecure. (For example, are these users excluded from FTPing? Because when you FTP you won't be forced into the menu).

- Chris
Reply
ITeam
Super Advisor

‎01-20-2003 05:15 AM

‎01-20-2003 05:15 AM

Re: New user setup with access to print admin

Hi all,
Thanks again for the suggestions. I have tested the values of the variables once the user has logged in and it appears that when the "LOGNANE" variable is set to "root" the problems are not encountered. I have ammended the users profile to set this variable. Thanks for the lead Chris :)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.