Operating System - HP-UX
1839244 Members
4283 Online
110137 Solutions
New Discussion

swacl and users other than root

 
SOLVED
Go to solution
Peter Biron
Advisor

swacl and users other than root

I have a need to have a user other than root to run an swlist. When I try to run swlist as any other user it gives seg fault. Is there a way using swacl to give rights to a domain admin user to run swlist when it accesses the machine?
Thanks
Some cause happiness wherever they go,others whenever they go! - O.Wilde
30 REPLIES 30
Hakki Aydin Ucar
Honored Contributor

Re: swacl and users other than root

Hi,

You can use restricted SAM builder;

# sam -f
Execute SAM with the privileges associated
with the specified login. When used in
conjunction with -r, the Restricted SAM
Builder is invoked and initialize privileges associated with the specified
login.
# sam -r
Invoke the Restricted SAM Builder. This
enables the system administrator to provide
limited non-superuser access to SAM functionality.
OR
You can use privrun with HP RBAC facility:
http://docs.hp.com/en/5991-8678/ch03s06.html
Julián Aimar
Frequent Advisor

Re: swacl and users other than root

Hi

Use sudo, you can download sudo from http://software.hp.com

JEA
Peter Biron
Advisor

Re: swacl and users other than root

Looks like that brought me to another issue, when I run the sam -r and then it asks for a user the username won't fit. I'm guessing there is a char limit to the usernames? This particular user comes from the windows side using an LDAP type authentication.
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Julián Aimar
Frequent Advisor

Re: swacl and users other than root

Hi,

login name field can be no longer than 8 characters
Julián Aimar
Frequent Advisor

Re: swacl and users other than root

what hp-ux version?

You don't mention the version of HP-UX you are running 11iv3 and 11iv2 have some support for longer user/group names - see "man lugadmin" for more details.. I would seriously advise against using though - it breaks so many 3rd party tools and apps...
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

You have an other problem! You don't need configured swacl's to get swlist working!
swacl is only necessary to be able to let other people install software. On all of my systems any user can run "swlist" and I have the default swacl's only.
Check your OS patchlevel and, eventually, restart swagentd.

My 2 cents,
Armin

PS: Please assign points!
And now for something completely different...
Peter Biron
Advisor

Re: swacl and users other than root

I am using version 11i v1 (11.11) and I had the sudo idea but cannot find a version for 11.11. I tried the 11.23 but failed install. I have tried a user with 7 chars and it fails.
I keep getting memory fault when I run swlist as any user other than root.
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

What's you OS patch level (e.g. what is your version of GOLDBASE11i)? Is your installation consistent, is "swverify \*" giving any errors? Try to install a current patch bundle. The most current SupportPlus bundle for 11.11 is 06/2009, you can download it at http://itrc.hp.com/service/patch/releaseIndexPage.do ).

My 2 cents,
Armin
And now for something completely different...
Peter Biron
Advisor

Re: swacl and users other than root

I just installed the June 09 Goldbase. Still no love with swlist or any of the sw cmds if I'm not root. At a loss now.
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Peter Biron
Advisor

Re: swacl and users other than root

ok - can someone tell me what product I would install if I wanted to reload swlist and all of it's buddies? I have 4 c8000's that are all doing the same thing. I also have an old 9000 that is running 11.00 and it works fine on that one, go figure.
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Bob E Campbell
Honored Contributor

Re: swacl and users other than root

can you post and ls -l of /var/adm/sw/security?
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

This is going to be very interesting. Did you do a "swverify \*"? Any errors or warnings?
I tried on all of my systems and found one with a few warnings at the beginning of the output. swlist complains about wrong configured realms. In newer HP-UX versions there is a command swfixrealm... I could not find this on my 11.11 boxes. Did you, by chance, clone those 11.11 boxes from one image? Does /etc/hosts contain leftover (or wrong) entries?
Another thing to try: Get the "tusc" utility (search in the forum!) and run a trace on swlist running as non-root. Maybe this is pointing to the error.

My 2 cents,
Armin
And now for something completely different...
Peter Biron
Advisor

Re: swacl and users other than root

Bob - for your question:

xxx1-1:/home/user $ls -la /var/adm/sw/security
total 128
drwxr-xr-x 2 bin bin 8192 Jul 27 2007 .
drwxr-xr-x 13 bin bin 8192 Oct 21 11:49 ..
-r--r--r-- 1 bin bin 39 Jul 27 2007 _ACL
-r--r--r-- 1 bin bin 61 Jul 27 2007 _OWNER
-r--r--r-- 1 bin bin 54 Jul 27 2007 _PROD_DFLT_ACL
-r--r--r-- 1 bin bin 54 Jul 27 2007 _SOC_DFLT_ACL
-r--r--r-- 1 bin bin 15 Mar 15 2007 secrets
---------- 1 root sys 0 Jul 27 2007 secrets.dir
---------- 1 root sys 1024 Jul 27 2007 secrets.pag
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Peter Biron
Advisor

Re: swacl and users other than root

Armin -

I did a swverify \* and came up with many errors and yes this machine was created with an ignite image of one out of 4 boxes. Most of the errors are related to some fonts and permissions. Not sure what to look for to resolve my issue though. Nothing unusual about /etc/hosts. Still looking for tusc.

Some cause happiness wherever they go,others whenever they go! - O.Wilde
Bob E Campbell
Honored Contributor

Re: swacl and users other than root

The simple answer is hopefully the best...

The seg fault points to a problem. Start by installing the latest Software Distributor bits available from http://www.hp.com/go/softwaredepot.

Once installed run:

# swverify SW-DIST

and if you are still having seg faults we turn to the more complex.

Was a hardening tool such as Bastille run on this system or the system the image was created on? Let's work from that assumption. First step is to figure out if your plans will get you in trouble with any auditors ...

With that in mind and as root check the output of:

# swacl -l host

# swacl -l root

You should be able to see output such as:

user:frodo:crwit
any_other:-r---


If you do not see those "r"s associated with a group that would match your user then access was turned off. Full details are in the swacl(1M) man page but you can zip to the examples at the bottom of the page.
Using the swacl(1M) command you can grant any user any permissions.
Peter Biron
Advisor

Re: swacl and users other than root

Well I did an install of SD but got the same results. No sw type commands for anybody other than root.

I have placed the output of your 2 commands bwlow with the obvious scrubbing. Thanks again.

Host:/ #swacl -l host
#
# swacl Host Access Control List
#
# For host: HOST
#
# Date: Mon Oct 26 14:29:31 2009
#

# Object Ownership: User= root
# Group=sys
# Realm=HOST.domain.com
#
# default_realm=HOST.domain.com
any_other:-r---
HOST:/ #swacl -l root
#
# swacl Installed Software Access Control List
#
# For host: HOST:/
#
# Date: Mon Oct 26 14:29:43 2009
#

# Object Ownership: User= root
# Group=sys
# Realm=HOST.domain.com
#
# default_realm=XXXXX.domain.com
object_owner:crwit
user:USER:crwit
any_other:-r---
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Bob E Campbell
Honored Contributor

Re: swacl and users other than root

OK, two things to check.

1. As a non-root user on another system can you swlist the problem system?

# swlist -s othersystem

2. What do you get from these?

# ll -d /var/adm/sw
# ll -d /var/adm/sw/products/
# ll /var/adm/sw/products/INDEX
# ll /usr/sbin/sw*
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

The tusc URL is ftp://ftp.cup.hp.com/dist/networking/tools/

It's absolutely possible (even though not necessarily), that your problem is caused by broken permissions of any files or directories. You should at least fix any ownership and permission errors in /var and /usr.

My 2 cents,
Armin
And now for something completely different...
Peter Biron
Advisor

Re: swacl and users other than root

Bob,

The remote swlist fails the same way for normal user and only works for root.



2. What do you get from these?

# ll -d /var/adm/sw
drwxr-xr-x 13 bin bin 8192 Oct 21 11:49 /var/adm/sw
# ll -d /var/adm/sw/products/
dr-x------ 707 root sys 16384 Oct 21 11:49 /var/adm/sw/products/
# ll /var/adm/sw/products/INDEX
/var/adm/sw/products/INDEX not found
# ll /usr/sbin/sw*
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swacl
-r-xr-xr-x 1 bin bin 778240 Feb 16 2007 /usr/sbin/swagentd
-r-xr-xr-x 1 bin bin 20480 Sep 7 2004 /usr/sbin/swapinfo
-r-xr-xr-x 1 bin bin 28672 May 13 2004 /usr/sbin/swapon
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swask
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swconfig
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swcopy
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swinstall
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swjob
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swlist
-r-sr-xr-x 2 root bin 1462272 Feb 16 2007 /usr/sbin/swmodify
-r-sr-xr-x 2 root bin 1462272 Feb 16 2007 /usr/sbin/swpackage
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swreg
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swremove
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swverify
Some cause happiness wherever they go,others whenever they go! - O.Wilde
Bob E Campbell
Honored Contributor

Re: swacl and users other than root

Well, I ask a question that finally gets us somewhere...

That INDEX file is the data that swlist is trying to display. That file being gone is obvious, but not clear why it is gone.

INDEX is a master file built from the fileset data. Does the command:

# find /var/adm/sw -name INDEX

find an obviously large selection of files? If so then the master should have been rebuilt when the new SD was installed.

Is /var tight on disk space?

Do you see any messages in /var/adm/sw/swagent.log for the last install or remove that point to the failure? What is the full data for the seg fault?

If the logs are clean try running again after setting the envar SDU_DEBUG=2. If you need something to install try Software Assistant (SWA - https://www.hp.com/go/swa)

For the record, /var should be 555 bin:bin and /var/adm should be 755 adm:adm.
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

My questions assumed that the system config is sane... sadly it seems not to be.

There is a way to recreate the INDEX file... since it's not there anymore, there is no risk in creating it.
Try the following:
# cd /var/adm/sw/product
# find . -name INDEX -exec cat {} >>INDEX.new \;
# mv INDEX.new INDEX
# chown root:sys INDEX
# chmod 644 INDEX

Then check sw-commands again.
If the INDEX files of all products are still there, this will successfully recreate the INDEX. Otherwise something very destructive happened to the IPD and you might need to reinstall the OS...

My 2 cents,
Armin
And now for something completely different...
Armin Kunaschik
Esteemed Contributor

Re: swacl and users other than root

@Bob BTW: running a tusc trace would probably lead to the same results... the missing INDEX file.
And now for something completely different...
Peter Biron
Advisor

Re: swacl and users other than root

I have tried what Armin suggested.
I do get some product listings now after it spews out a ton of these types of messages:

The duplicate product has been marked as corrupt, and its tag
attribute changed to "_product_230813".
ERROR: Duplicate definition for the product "PHKL_38736", beginning
at line 230883. This product defines the same values for the
same version attributes as another product or bundle contained
in the root (installation). Those attributes are

PHKL_38736,l=/,r=1.0,a=HP-UX_B.11.11_32/64,v=HP


Some cause happiness wherever they go,others whenever they go! - O.Wilde
Peter Biron
Advisor

Re: swacl and users other than root

Also it did not fix the issue with any user other than root being able to run swlist. I still get the Memory fault when I try that as a non-root user.
Some cause happiness wherever they go,others whenever they go! - O.Wilde