- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Users requesting access to ID www or group other f...
Operating System - HP-UX
1819800
Members
3312
Online
109607
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 08:36 AM
тАО09-14-2004 08:36 AM
I have a couple of users requesting access to either user 'www' or added to the group 'other' so they can configure the Tomcat application for use with various software packages (ie TOPIC). What, if any are the best practices for allowing them to configure files within Tomcat without opening the system up. Would allowing them access to user ID www only through 'su - www' be ok. If so, how would you configure the ID so you could only su to the ID www?
Thanks...
Thanks...
Expert: In asking questions.
Solved! Go to Solution.
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 08:49 AM
тАО09-14-2004 08:49 AM
Re: Users requesting access to ID www or group other for Tomcat
What is the version of HP-UX ? If 11i or 11.0 with JFS version 3.5, you can add ACL entries such that the users who are requesting access can be granted permissions to the files owned by "www". This way the users dont even have to know the password.
A user can su to other accounts only if the user knows the password for the account.
If I understand your question correctly, as long as the user has the password for only user "www", the user cannot su to any other account.
A user can su to other accounts only if the user knows the password for the account.
If I understand your question correctly, as long as the user has the password for only user "www", the user cannot su to any other account.
Learn What to do ,How to do and more importantly When to do ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 08:51 AM
тАО09-14-2004 08:51 AM
Re: Users requesting access to ID www or group other for Tomcat
If www isn't used anywhere else, then sure - give them su capability...but, what about the group other? If used elsewhere, you may want to re-install Apache/Tomcat do be in it's own unique group.
Never allow a generic/appication id to login directly.
Rgds...Geoff
Never allow a generic/appication id to login directly.
Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 08:54 AM
тАО09-14-2004 08:54 AM
Re: Users requesting access to ID www or group other for Tomcat
Problem with giving the users www user access is that if www owns the webserver, they could change permissions on that openning up security and operaional vulnerabilities.
If faced with this request I would find out what the customization they want to do is, exactly what it was and see if systems adminitration could do it.
I don't think the profile on user www is set up to allow for interactive use. Check the shell in /etc/passwd .
I'd think you need to create a special user for this with the normal shell and make it part of group other.
I would not want to do this as su - www.
SEP
If faced with this request I would find out what the customization they want to do is, exactly what it was and see if systems adminitration could do it.
I don't think the profile on user www is set up to allow for interactive use. Check the shell in /etc/passwd .
I'd think you need to create a special user for this with the normal shell and make it part of group other.
I would not want to do this as su - www.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 09:10 AM
тАО09-14-2004 09:10 AM
Solution
Hi Jason,
This is a classic example of the need for and best use of sudo.
Find out the exact commands they need to run - full path - full syntax & configure sudo to run those commands *only*. You can give them either www user or other group permissions. But *all* they'll be able to run is those commands listed in the sudoers file.
If you don't have it you can get it here:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/
And if even that makes you nervous - you can just remove the ability when they're done be removing the config from the sudoers file.
HTH,
Jeff
This is a classic example of the need for and best use of sudo.
Find out the exact commands they need to run - full path - full syntax & configure sudo to run those commands *only*. You can give them either www user or other group permissions. But *all* they'll be able to run is those commands listed in the sudoers file.
If you don't have it you can get it here:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/
And if even that makes you nervous - you can just remove the ability when they're done be removing the config from the sudoers file.
HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 10:50 AM
тАО09-14-2004 10:50 AM
Re: Users requesting access to ID www or group other for Tomcat
Ability to successfully use SUDO here to restrict access also depends on how the users are going to modify (or configure) files.
If the users are going to be editing files using some kind of a editor (say vi), it would be impractical to list all the files they are going to edit in the allowed list of SUDO commands.
If the users are going to be editing files using some kind of a editor (say vi), it would be impractical to list all the files they are going to edit in the allowed list of SUDO commands.
Learn What to do ,How to do and more importantly When to do ?
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP