HPE Community
Operating System - HP-UX
1834141 Members
2222 Online
110064 Solutions
New Discussion

Re: Special premissions for using root's commands

 
Manuales
Super Advisor

‎09-08-2007 10:59 PM

‎09-08-2007 10:59 PM

Special premissions for using root's commands

Hi ...
i have a user trustable as root, it is for monitoring some things into the servers ...

then, i need to send a report about configuration of the server .. my user id is named "usertrust" and i want he can use the command print_manifest , i know that exists something about to give special permissions ...

the command is as follows:
$ ls -rlt /opt/ignite/bin/print_manifest
-r-xr-xr-x 1 bin bin 40960 Jan 19 2001 /opt/ignite/bin/print_manifest

how change the permissions for being used for other user different to root?

please let me know.
thanks.
0 Kudos
Reply
7 REPLIES 7
Robert-Jan Goossens
Honored Contributor

‎09-08-2007 11:20 PM

‎09-08-2007 11:20 PM

Re: Special premissions for using root's commands

From the manual page of print_manifest

You must be the root user to run print_manifest.

You could use sudo, ang give a user admin (root) permissions for some commands.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p12/

An other option could be to add a cron entry (say once a week) for print_manifest and the user can copy the output from
# cat /var/opt/ignite/local/manifest/manifest.info

Regards,
Robert-Jan
0 Kudos
Reply
Manuales
Super Advisor

‎09-09-2007 12:48 AM

‎09-09-2007 12:48 AM

Re: Special premissions for using root's commands

does somebody know how to give permissions (as root) to other users for using a root's command?

i know that you have to use something like:
chmod 7777 (4) file_name ... do you know it?

please let me know...

thanks ....
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎09-09-2007 01:24 AM

‎09-09-2007 01:24 AM

Re: Special premissions for using root's commands

Hi Manuales:

I covered this is what appears to be your duplicate thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1159548

Please see my remarks, there.

Regards!

...JRF...
0 Kudos
Reply
whiteknight
Honored Contributor

‎09-09-2007 03:39 AM

‎09-09-2007 03:39 AM

Re: Special premissions for using root's commands

Manuales,

You can use HP 's Sudo equivalent called RBAC to assign a role to a particular user.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

Check it out!
WK
please assign points
Problem never ends, you must know how to fix it
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-09-2007 01:48 PM

‎09-09-2007 01:48 PM

Re: Special premissions for using root's commands

In your example (print_manifest), you cannot change anything to make this program run for an ordinary user. The reason is that the program must access many parts of the OS to provide the needed information and ordinary users are denied access to these details.

What you may be referring to is setUID where a program can have the setUID bit turned on to gain root privileges. However, turn on the setUID bit like this:

chmod 4555 /opt/ignite/bin/print_manifest

then have your user run the command and you'll get:

ERROR: You must be the root user to run this program.

which means the program (properly) detects the ordinary user trying to run as root.

There is only one solution and that is to download sudo from HP and use it to give your trusted user access to the print_manifest command.


Bill Hassell, sysadmin
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎09-09-2007 03:15 PM

‎09-09-2007 03:15 PM

Re: Special premissions for using root's commands

>Bill: turn on the setUID bit like this:
chmod 4555 /opt/ignite/bin/print_manifest
ERROR: You must be the root user to run this program.

You also need to set the ownership to root:
# chown root:sys /opt/ignite/bin/print_manifest

(I suppose it could still check?)
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-10-2007 09:49 AM

‎09-10-2007 09:49 AM

Re: Special premissions for using root's commands

Dennis wrote:

> You also need to set the ownership to root:
> # chown root:sys /opt/ignite/bin/print_manifest
>
> (I suppose it could still check?)

Oops, forgot that step 'cause I thought it was already owned by root. When print_manifest looks like this:

-r-sr-xr-x 1 root sys 40960 Sep 14 2006 /opt/ignite/bin/print_manifest

then print_manifest can be run by any user.

So, yes it could check but it doesn't. So apparently (on 11.11) print_manifest can indeed be changed to setUID and owned by root which allows anyone to run the program. It appears that all the information is security neutral so I can't think of any precautions except that swverify will likely report this as an exception.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.