HPE Community
Operating System - HP-UX
1834925 Members
2775 Online
110071 Solutions
New Discussion

Re: problem with suid bit on file's permission

 
Hasan_9
Regular Advisor

‎03-31-2006 12:53 AM

‎03-31-2006 12:53 AM

problem with suid bit on file's permission

Hello everybody,
There is a file on my system with permission 4710 named oidldapd. The file is part of Oracle Internet Directory. This file needs root privileges for running so suid bit sets. (this file should be run under oracle user). Something is preventing the oidldapd process from running because the executable had the suid bit set. It seems there is a security setting on system that prevents the file with suid bit sets from running. Oracle said the problem is related to your security configuration. My server is not a trusted server. Currently, Hp-UX 11.23 MCOE (released on December 2005) is installed on my server. Everythings are as defaults and I did not change anything in OS configuration. Please Advice what is wrong in my settings.

Hasan
0 Kudos
Reply
8 REPLIES 8
James R. Ferguson
Acclaimed Contributor

‎03-31-2006 12:57 AM

‎03-31-2006 12:57 AM

Re: problem with suid bit on file's permission

Hi Hasan:

Your file should be owned by root (since you want to confer 'root' privileges when it runs), but belong to Oracle's group (probably 'dba').

Then do:

# chmod 4750 oidlapd

You need to allow the group to have both read and executre privileges. To execute you must be able to read.

Regards!

...JRF...
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-31-2006 12:58 AM

‎03-31-2006 12:58 AM

Re: problem with suid bit on file's permission

Is this an binary file or is a script?

Have you considered using SUDO?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Hasan_9
Regular Advisor

‎03-31-2006 01:16 AM

‎03-31-2006 01:16 AM

Re: problem with suid bit on file's permission

Thank you,
The file is owened by root and belongs to oracle group.Also it is a binary file.
Actually I can execute the oidldapd file by oracle user without any problem, by myself.However Oracle Intenet Directory has a command called oidctl which cannot executes the oidldapd. Oracle's guys said problem is related to your security configuration. Do they correct? Are there any security configuration that can affect the suid bit?

Hasan
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-31-2006 01:26 AM

‎03-31-2006 01:26 AM

Re: problem with suid bit on file's permission

Can you redirect the output to a log file when the command is executed by Oracle Intenet Directory to view the exact error that it gets?

For example:

command > /tmp/command.log 2>&1

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Hasan_9
Regular Advisor

‎03-31-2006 01:38 AM

‎03-31-2006 01:38 AM

Re: problem with suid bit on file's permission

It does nor report any error. take alook at following lines, the log file is empty.

$ id
uid=200(oracle) gid=200(oinstall) groups=201(dba)
$ ll oidctl oidldapd
-rwx------ 1 oracle oinstall 4905064 Mar 31 04:40 oidctl
-rws--x--- 1 root oinstall 4870456 Mar 31 04:40 oidldapd
$ oidctl connect=orcl server=oidldapd instance=1 start > log 2>&1
$ cat log
$
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-31-2006 01:51 AM

‎03-31-2006 01:51 AM

Re: problem with suid bit on file's permission

Try with the debug option, like this:

oidctl server=oidldapd instance=1 flags='-debug 9' restart

The debug level is:

1
Trace function calls

2
Debug packet handling

4
Heavy trace debugging

8
Connection management

16
Print out packets sent and received

32
Search filter processing

64
Configuration file processing

128
Access control list processing

256
Stats log connections/operations/results

512
Stats log entries sent

1024
Print communication with the back-end

2048
Print entry parsing debugging

4096
Schema-related debugging

32768
Replication-specific debugging

65535
Enable all debugging
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-31-2006 02:00 AM

‎03-31-2006 02:00 AM

Re: problem with suid bit on file's permission

Check the filesystem's mount options. The nosuid option may be in effect. Man mount_vxfs for details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Hasan_9
Regular Advisor

‎03-31-2006 08:54 PM

‎03-31-2006 08:54 PM

Re: problem with suid bit on file's permission

Hello,
Ivan,
As you see nothing generated with the following command
$oidctl connect=orcl server=oidldapd instance=1 flags='-debug 9' start > log 2>&1
$ cat log
$

Clay,
I did not mount it with nosuid option.
I installed the software on /u01.
# mount | grep u01
/u01 on /dev/vg00/lvol7 ioerror=mwdisable,delaylog,dev=40000007 on Fri Mar 31 18
:55:52 2006

Hasan
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.