Re: swacl and users other than root

Peter Biron · ‎10-21-2009

I have a need to have a user other than root to run an swlist. When I try to run swlist as any other user it gives seg fault. Is there a way using swacl to give rights to a domain admin user to run swlist when it accesses the machine?
Thanks

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Hakki Aydin Ucar · ‎10-21-2009

Hi,

You can use restricted SAM builder;

# sam -f
Execute SAM with the privileges associated
with the specified login. When used in
conjunction with -r, the Restricted SAM
Builder is invoked and initialize privileges associated with the specified
login.
# sam -r
Invoke the Restricted SAM Builder. This
enables the system administrator to provide
limited non-superuser access to SAM functionality.
OR
You can use privrun with HP RBAC facility:
http://docs.hp.com/en/5991-8678/ch03s06.html

Julián Aimar · ‎10-21-2009

Hi

Use sudo, you can download sudo from http://software.hp.com

JEA

Peter Biron · ‎10-21-2009

Looks like that brought me to another issue, when I run the sam -r and then it asks for a user the username won't fit. I'm guessing there is a char limit to the usernames? This particular user comes from the windows side using an LDAP type authentication.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Julián Aimar · ‎10-21-2009

Hi,

login name field can be no longer than 8 characters

Julián Aimar · ‎10-21-2009

what hp-ux version?

You don't mention the version of HP-UX you are running 11iv3 and 11iv2 have some support for longer user/group names - see "man lugadmin" for more details.. I would seriously advise against using though - it breaks so many 3rd party tools and apps...

Armin Kunaschik · ‎10-22-2009

You have an other problem! You don't need configured swacl's to get swlist working!
swacl is only necessary to be able to let other people install software. On all of my systems any user can run "swlist" and I have the default swacl's only.
Check your OS patchlevel and, eventually, restart swagentd.

My 2 cents,
Armin

PS: Please assign points!

And now for something completely different...

Peter Biron · ‎10-22-2009

I am using version 11i v1 (11.11) and I had the sudo idea but cannot find a version for 11.11. I tried the 11.23 but failed install. I have tried a user with 7 chars and it fails.
I keep getting memory fault when I run swlist as any user other than root.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Armin Kunaschik · ‎10-23-2009

What's you OS patch level (e.g. what is your version of GOLDBASE11i)? Is your installation consistent, is "swverify \*" giving any errors? Try to install a current patch bundle. The most current SupportPlus bundle for 11.11 is 06/2009, you can download it at http://itrc.hp.com/service/patch/releaseIndexPage.do ).

My 2 cents,
Armin

And now for something completely different...

Peter Biron · ‎10-23-2009

I just installed the June 09 Goldbase. Still no love with swlist or any of the sw cmds if I'm not root. At a loss now.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Peter Biron · ‎10-23-2009

ok - can someone tell me what product I would install if I wanted to reload swlist and all of it's buddies? I have 4 c8000's that are all doing the same thing. I also have an old 9000 that is running 11.00 and it works fine on that one, go figure.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Bob E Campbell · ‎10-23-2009

can you post and ls -l of /var/adm/sw/security?

Armin Kunaschik · ‎10-26-2009

This is going to be very interesting. Did you do a "swverify \*"? Any errors or warnings?
I tried on all of my systems and found one with a few warnings at the beginning of the output. swlist complains about wrong configured realms. In newer HP-UX versions there is a command swfixrealm... I could not find this on my 11.11 boxes. Did you, by chance, clone those 11.11 boxes from one image? Does /etc/hosts contain leftover (or wrong) entries?
Another thing to try: Get the "tusc" utility (search in the forum!) and run a trace on swlist running as non-root. Maybe this is pointing to the error.

My 2 cents,
Armin

And now for something completely different...

Peter Biron · ‎10-26-2009

Bob - for your question:

xxx1-1:/home/user $ls -la /var/adm/sw/security
total 128
drwxr-xr-x 2 bin bin 8192 Jul 27 2007 .
drwxr-xr-x 13 bin bin 8192 Oct 21 11:49 ..
-r--r--r-- 1 bin bin 39 Jul 27 2007 _ACL
-r--r--r-- 1 bin bin 61 Jul 27 2007 _OWNER
-r--r--r-- 1 bin bin 54 Jul 27 2007 _PROD_DFLT_ACL
-r--r--r-- 1 bin bin 54 Jul 27 2007 _SOC_DFLT_ACL
-r--r--r-- 1 bin bin 15 Mar 15 2007 secrets
---------- 1 root sys 0 Jul 27 2007 secrets.dir
---------- 1 root sys 1024 Jul 27 2007 secrets.pag

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Peter Biron · ‎10-26-2009

Armin -

I did a swverify \* and came up with many errors and yes this machine was created with an ignite image of one out of 4 boxes. Most of the errors are related to some fonts and permissions. Not sure what to look for to resolve my issue though. Nothing unusual about /etc/hosts. Still looking for tusc.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Bob E Campbell · ‎10-26-2009

The simple answer is hopefully the best...

The seg fault points to a problem. Start by installing the latest Software Distributor bits available from http://www.hp.com/go/softwaredepot.

Once installed run:

# swverify SW-DIST

and if you are still having seg faults we turn to the more complex.

Was a hardening tool such as Bastille run on this system or the system the image was created on? Let's work from that assumption. First step is to figure out if your plans will get you in trouble with any auditors ...

With that in mind and as root check the output of:

# swacl -l host

# swacl -l root

You should be able to see output such as:

user:frodo:crwit
any_other:-r---

If you do not see those "r"s associated with a group that would match your user then access was turned off. Full details are in the swacl(1M) man page but you can zip to the examples at the bottom of the page.
Using the swacl(1M) command you can grant any user any permissions.

Peter Biron · ‎10-26-2009

Well I did an install of SD but got the same results. No sw type commands for anybody other than root.

I have placed the output of your 2 commands bwlow with the obvious scrubbing. Thanks again.

Host:/ #swacl -l host
#
# swacl Host Access Control List
#
# For host: HOST
#
# Date: Mon Oct 26 14:29:31 2009
#

# Object Ownership: User= root
# Group=sys
# Realm=HOST.domain.com
#
# default_realm=HOST.domain.com
any_other:-r---
HOST:/ #swacl -l root
#
# swacl Installed Software Access Control List
#
# For host: HOST:/
#
# Date: Mon Oct 26 14:29:43 2009
#

# Object Ownership: User= root
# Group=sys
# Realm=HOST.domain.com
#
# default_realm=XXXXX.domain.com
object_owner:crwit
user:USER:crwit
any_other:-r---

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Bob E Campbell · ‎10-26-2009

OK, two things to check.

1. As a non-root user on another system can you swlist the problem system?

# swlist -s othersystem

2. What do you get from these?

# ll -d /var/adm/sw
# ll -d /var/adm/sw/products/
# ll /var/adm/sw/products/INDEX
# ll /usr/sbin/sw*

Armin Kunaschik · ‎10-27-2009

The tusc URL is ftp://ftp.cup.hp.com/dist/networking/tools/

It's absolutely possible (even though not necessarily), that your problem is caused by broken permissions of any files or directories. You should at least fix any ownership and permission errors in /var and /usr.

My 2 cents,
Armin

And now for something completely different...

Peter Biron · ‎10-29-2009

Bob,

The remote swlist fails the same way for normal user and only works for root.

2. What do you get from these?

# ll -d /var/adm/sw
drwxr-xr-x 13 bin bin 8192 Oct 21 11:49 /var/adm/sw
# ll -d /var/adm/sw/products/
dr-x------ 707 root sys 16384 Oct 21 11:49 /var/adm/sw/products/
# ll /var/adm/sw/products/INDEX
/var/adm/sw/products/INDEX not found
# ll /usr/sbin/sw*
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swacl
-r-xr-xr-x 1 bin bin 778240 Feb 16 2007 /usr/sbin/swagentd
-r-xr-xr-x 1 bin bin 20480 Sep 7 2004 /usr/sbin/swapinfo
-r-xr-xr-x 1 bin bin 28672 May 13 2004 /usr/sbin/swapon
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swask
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swconfig
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swcopy
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swinstall
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swjob
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swlist
-r-sr-xr-x 2 root bin 1462272 Feb 16 2007 /usr/sbin/swmodify
-r-sr-xr-x 2 root bin 1462272 Feb 16 2007 /usr/sbin/swpackage
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swreg
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swremove
-r-sr-xr-x 11 root bin 2478080 Feb 16 2007 /usr/sbin/swverify

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Bob E Campbell · ‎10-29-2009

Well, I ask a question that finally gets us somewhere...

That INDEX file is the data that swlist is trying to display. That file being gone is obvious, but not clear why it is gone.

INDEX is a master file built from the fileset data. Does the command:

# find /var/adm/sw -name INDEX

find an obviously large selection of files? If so then the master should have been rebuilt when the new SD was installed.

Is /var tight on disk space?

Do you see any messages in /var/adm/sw/swagent.log for the last install or remove that point to the failure? What is the full data for the seg fault?

If the logs are clean try running again after setting the envar SDU_DEBUG=2. If you need something to install try Software Assistant (SWA - https://www.hp.com/go/swa)

For the record, /var should be 555 bin:bin and /var/adm should be 755 adm:adm.

Armin Kunaschik · ‎10-30-2009

My questions assumed that the system config is sane... sadly it seems not to be.

There is a way to recreate the INDEX file... since it's not there anymore, there is no risk in creating it.
Try the following:
# cd /var/adm/sw/product
# find . -name INDEX -exec cat {} >>INDEX.new \;
# mv INDEX.new INDEX
# chown root:sys INDEX
# chmod 644 INDEX

Then check sw-commands again.
If the INDEX files of all products are still there, this will successfully recreate the INDEX. Otherwise something very destructive happened to the IPD and you might need to reinstall the OS...

My 2 cents,
Armin

And now for something completely different...

Armin Kunaschik · ‎10-30-2009

@Bob BTW: running a tusc trace would probably lead to the same results... the missing INDEX file.

And now for something completely different...

Peter Biron · ‎10-30-2009

I have tried what Armin suggested.
I do get some product listings now after it spews out a ton of these types of messages:

The duplicate product has been marked as corrupt, and its tag
attribute changed to "_product_230813".
ERROR: Duplicate definition for the product "PHKL_38736", beginning
at line 230883. This product defines the same values for the
same version attributes as another product or bundle contained
in the root (installation). Those attributes are

PHKL_38736,l=/,r=1.0,a=HP-UX_B.11.11_32/64,v=HP

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Peter Biron · ‎10-30-2009

Also it did not fix the issue with any user other than root being able to run swlist. I still get the Memory fault when I try that as a non-root user.

Some cause happiness wherever they go,others whenever they go! - O.Wilde

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: swacl and users other than root

swacl and users other than root