HPE Community
Operating System - HP-UX
1855770 Members
1821 Online
104103 Solutions
New Discussion

User's default permission in HP-UX B.11.23 U ia64 box

 
SOLVED
Go to solution
rab_2
Occasional Advisor

‎07-25-2007 08:41 AM

‎07-25-2007 08:41 AM

User's default permission in HP-UX B.11.23 U ia64 box

Hi,
I am having user's default umask problem in HP-UX 64-bit ia64
box.
The same user's default umask works ok in HP-UX B.11.11 U
9000/800 box.

Actually the mainframe application kicks off a remote job through
rexec command. The job (nothing but a Unix shell script) then
runs on that Unix box and creates many Unix files in same Unix
box. But the file permission for those new files are restricted.

-rw-------

I have tried to put umask command in that user's .profile file,
but then figured out that .profile is not executed in case of
remote execution (rexec) triggered from mainframe.

Can you please point me to right direction.
I also checked /etc/profile file and compared between HP-UX
64-bit Itanium box (bad one) and HP-UX B.11.11 U 9000/800 box
(good one) and found that both are same.

I tried to search environment file, but didn't find any /etc/environment in any of the boxes (neither in good box nor in bad box)

Can you please help and point me to the area I should dig.
Please let me know if I am not clear.

Thanks in advance for your help.

-Rabi
0 Kudos
Reply
8 REPLIES 8
Patrick Wallek
Honored Contributor

‎07-25-2007 08:49 AM

‎07-25-2007 08:49 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

>>The job (nothing but a Unix shell script)

You need to set your umask value in the shell script that is run.

Reply
rab_2
Occasional Advisor

‎07-25-2007 09:26 AM

‎07-25-2007 09:26 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

Thanks for the response,
Yes, adding umask value in the application shell script, or forcefully executing .profile through the script ... etc all are going to solve the problem in ugly way.
But there are some problem in those approaches...
1> There are many other Unix shell scripts called (as part of different application) is similar way from mainframe(rexec) and executed in Unix. So we need to change all those application scripts.

2> The endeavour is to keep the application script same across all acchitecture, PA_RISC or IA64. The same script runs ok in PA_RISC machines and creates files with good permission.

3> When I run following command,
HPPARISC$ remsh -l -n touch afile

it creates restricted file in IA64 box.

-rw------- 1 adcf81t zxxincb1 0 Jul 25 17:17 afile

whereas when I run following command
HPIA64$ remsh -l -n touch afile

it creates good file in PARISC box.

-rw-rw-rw- 1 adcf81t zxxincb1 0 Jul 25 17:18 afile

Hope this clears the problem. The problem has actually nothing to do with mainframe.

Thanks
Rabi
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-25-2007 09:38 AM

‎07-25-2007 09:38 AM

Solution

Re: User's default permission in HP-UX B.11.23 U ia64 box

It never hurts to examine the man page (on the 11.23 box). A man remshd or man rexecd will tell you that umask is controlled by a setting in /etc/default/security.
If it ain't broke, I can fix that.
Reply
rab_2
Occasional Advisor

‎07-25-2007 10:29 AM

‎07-25-2007 10:29 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

Yes, man page does say about the security setting. Thanks for the tip.
I am afraid, if that umask is going to override the user's profile umask.
Can you please confirm.

Thanks
Rabi
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-25-2007 11:00 AM

‎07-25-2007 11:00 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

Again, refer to the man pages. If you follow the steps that a remsh connection follows as it honors a client connection request, you will see nothing about /etc/profile or .profile. The umask value is that defined in /etc/default/security but the last umask wins so you can explicitly set in in the script --- which should have already been done.

NOW:

it creates restricted file in IA64 box.

-rw------- 1 adcf81t zxxincb1 0 Jul 25 17:17 afile

whereas when I run following command
HPIA64$ remsh -l -n touch afile

it creates good file in PARISC box.

-rw-rw-rw- 1 adcf81t zxxincb1 0 Jul 25 17:18 afile

Let me just say that your idea of what constitutes a good file from the perspective of permissions and my idea of the same thing are diametrically opposed. Any file with a mode of 666 is a security breach waiting to happen. A umask of 027 would be my starting point and would get no less restrictive than 007. You seem to think that a umask of 000 is ideal.

In any event, you are a victim of your own less than rigorous coding standards and ANY script should assume responsibility for its environment including umask if it is ever expected to run in a non-interactive, non-local environment.
If it ain't broke, I can fix that.
Reply
rab_2
Occasional Advisor

‎07-26-2007 05:15 AM

‎07-26-2007 05:15 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

Unfortunately putting
umask 111 in /etc/default/security file did not help. Although the man page for rexecd and remshd both are referring to same /etc/default/security file.

To put the problem in short,
The rexec/remsh command is creating file
with -rw------- permission in HP-UX B.11.23 U ia64 box. Whereas we want the created file permission to be -rw-rw-rw-
However, HP-UX B.11.11 U 9000/800 boxes are all good.



Any other tip I could try ?


Thanks
Rabi
0 Kudos
Reply
rab_2
Occasional Advisor

‎07-26-2007 08:17 AM

‎07-26-2007 08:17 AM

Re: User's default permission in HP-UX B.11.23 U ia64 box

I added following line in
/etc/default/security file in HP-UX B.11.23 U ia64 Unix box.
umask 111
Just wondering if the machine needs to be restarted before this comes into effect ? or anything I missed or wrongly did ?

Because after adding umask 111 line in that file, it didn't work.

Any pointer will be highly appreciated.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-26-2007 04:36 PM

‎07-26-2007 04:36 PM

Re: User's default permission in HP-UX B.11.23 U ia64 box

Adding umask 111 is almost the same as umask 0, unless you are talking about directories and then those directories are near useless.

You should let commands/scripts that want to make things executable, do that.
Note this is typically only mkdir, ld and cp.

>I added following line in /etc/default/security file
umask 111

security(4) says:
Noncomment lines are of the form, parameter=value.
And later: UMASK=default_umask

Unfortunately it says: Default value: UMASK=0

It does mention pam_unix(5) and/or pam_hpsec(5).
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.