HPE Community
Operating System - HP-UX
1836013 Members
2132 Online
110088 Solutions
New Discussion

user's can't issue ignite

 
SOLVED
Go to solution
Ravi_8
Honored Contributor

‎02-19-2003 05:59 AM

‎02-19-2003 05:59 AM

user's can't issue ignite

Hi, everybody

we wanted to automate the OS and application installation on all unix platforms. In HP-UX i have created ignite server and depots of all applications. Only the root user can issue the ignite command to start the installation, for other users it says:
You must have super-user permissions to use this tool.
I wanted all users to have execute permission on ignite, so that they can install OS and applications according to their environment without asking sys admin.

thanx in advance
never give up
0 Kudos
Reply
16 REPLIES 16
Pete Randall
Outstanding Contributor

‎02-19-2003 06:03 AM

‎02-19-2003 06:03 AM

Re: user's can't issue ignite

chmod?

Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-19-2003 06:06 AM

‎02-19-2003 06:06 AM

Re: user's can't issue ignite

I'll take that back. At least on my system, it's already 666.

Pete

Pete
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 06:07 AM

‎02-19-2003 06:07 AM

Re: user's can't issue ignite

Hi, pete

-r-xr-xr-x 1 bin bin 180224 Apr 21 2001 ignite

ignite has already execute permission by defalut to everyone
never give up
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-19-2003 06:18 AM

‎02-19-2003 06:18 AM

Re: user's can't issue ignite

If REALLY REALLY want to, I suppose you could run it as set-uid.

# chmod u+s whatever

I don't know for certain that this will work, but it's worth a shot.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-19-2003 06:21 AM

‎02-19-2003 06:21 AM

Re: user's can't issue ignite

I don't know Ravi - the only thing I can think of is that HP, in their infinite wisdom, decided that Ignite was suitable for root users only.

Actually, to me, that makes sense. There is no way I would want Joe User out there deciding he didn't like something about his workstation's behavior and re-Igniting it.

Pete

Pete
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 06:29 AM

‎02-19-2003 06:29 AM

Re: user's can't issue ignite

Hi, patrick

chmod u+s ignite

even now user can't initiate ignite
never give up
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎02-19-2003 06:32 AM

‎02-19-2003 06:32 AM

Re: user's can't issue ignite

Ignte checks for the real uid... so this wrapper should work:

#include
main()
{
setresuid(0,0,0);
exit (system ("/opt/ignite/bin/ignite"));
}

# chown root:sys ...
# chmod 4555 ...


WARNING:
Don't expect any security from a system with whis thing installed. Don't say I didn't warn you. :)

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 06:40 AM

‎02-19-2003 06:40 AM

Re: user's can't issue ignite

Hi, dietmar

#chown root:sys ignite
doesn't work
never give up
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎02-19-2003 06:46 AM

‎02-19-2003 06:46 AM

Re: user's can't issue ignite

You have to compile and chroot the wrapper! Sorry, thought that would be clear. Or what's the problem?

- save proggi as iux-suid.c
- compile it
cc -o iux-suid iux-suid.c
- chmod 4555 iux-suid
- chown root:sys iux-suid

Then run iux-suid as non-root.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 07:00 AM

‎02-19-2003 07:00 AM

Re: user's can't issue ignite

Hi Dietmar

pls can you be more clear, i am not understanding proggi. file ignite says it's only executable
never give up
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-19-2003 07:06 AM

‎02-19-2003 07:06 AM

Re: user's can't issue ignite

proggi=program

Pete
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎02-19-2003 07:08 AM

‎02-19-2003 07:08 AM

Solution

Re: user's can't issue ignite

Hi Ravi,

simply take the source code, compile it and change its permissions/ownership. It's a wrapper... that means it a program (little program == proggie) that can be called by your users and which itself calls the original ignite program.

The trick is, it tweaks Ignite by calling the system call setresuid() before.

Hope, it's clear now.

Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
Reply
Jochen Heuer
Respected Contributor

‎02-19-2003 07:15 AM

‎02-19-2003 07:15 AM

Re: user's can't issue ignite

Create file iux-suid.c with the following content:

#include
main()
{
setresuid(0,0,0);
exit (system ("/opt/ignite/bin/ignite"));
}

Then you have to compile the file:

$ cc -o iux-suid iux-suid.c
$ chown root:sys iux-suid
$ chmod 4555 iux-suid

This wrapper (iux-suid) switches the user-id to root and then starts ignite. So you can change the permissions of /opt/ignite/bin/ignite back to it's original values. Then you have to run

$ iux-suid

to start ignite.

Jochen
Well, yeah ... I suppose there's no point in getting greedy, is there?
Reply
Jeff Schussele
Honored Contributor

‎02-19-2003 07:24 AM

‎02-19-2003 07:24 AM

Re: user's can't issue ignite

Hi Ravi,

I don't know about this....
I guess I don't like to live *that* dangerously. If they're that capable - that they know how to properly use Ignite - they might as well be SAs.

My $0.02,
Jeff


PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 07:50 AM

‎02-19-2003 07:50 AM

Re: user's can't issue ignite

Hi,

users doesn't call any program in my case.
users just login to ignite server using their id's and execute ignite. it should yield the result.
It's working well in AIX (NIM - network installation management). I don't the problem with HP.
never give up
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-19-2003 08:04 AM

‎02-19-2003 08:04 AM

Re: user's can't issue ignite

Hi Dietmar/ Jochen

Thanx a lot, wrapper did the job
never give up
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.