HPE Community
Operating System - HP-UX
1834167 Members
2549 Online
110064 Solutions
New Discussion

Why doesn't this work!?!

 
SOLVED
Go to solution
Tim Medford
Valued Contributor

‎07-16-2003 08:49 AM

‎07-16-2003 08:49 AM

Why doesn't this work!?!

I've written a script to allow my oracle DBA to stop and start the spooler in the event I'm unavailable. He does not have the root password.

The script is extremely simple...it contains:

lpshut
sleep 5
lpsched

The script is owned by root and has the setuid bit on. The group is dba, which is the group the oracle account belongs to.

r_sr_x___ root dba 46 07/16/2003 bounce_sp

When the script is executed by the oracle user this message comes up:

/usr/sbin/lpshut: this command for use only by LP Administrators
/usr/sbin/lpsched: this command for use only by LP Administrators

Any ideas??
Thanks, Tim
0 Kudos
Reply
9 REPLIES 9
melvyn burnard
Honored Contributor

‎07-16-2003 08:52 AM

‎07-16-2003 08:52 AM

Re: Why doesn't this work!?!

why not just build him hte capability using hte Restricted SAM builder.
Use sam -r
This cuts out lots of issues like htis.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Stuart Abramson_2
Honored Contributor

‎07-16-2003 08:53 AM

‎07-16-2003 08:53 AM

Re: Why doesn't this work!?!

iI think it must be run as user "lp". Change ownership of your script from root to lp.

# whereis lpshut
lpshut: /usr/sbin/lpshut /usr/share/man/man1m.Z/lpshut.1m
# ll /usr/sbin/lpshut
-r-sr-xr-x 1 lp bin 20480 Jul 26 2002 /usr/sbin/lpshut
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-16-2003 08:55 AM

‎07-16-2003 08:55 AM

Re: Why doesn't this work!?!

Tim,

Facing a similar situation, I set up restriced SAM to allow my operators to manage print queues. It might be an option in your case and a little more secure than having setuid scripts hanging about.


Pete


Pete
0 Kudos
Reply
Michael Kelly_5
Valued Contributor

‎07-16-2003 09:25 AM

‎07-16-2003 09:25 AM

Re: Why doesn't this work!?!

Tim,
I'm not absolutely certain but I suspect that the lpshut/lpsched programs can only be run by the 'lp' user or by root.
Have you considered using sudo as a way around this?

HTH,
Michael.
The nice thing about computers is that they do exactly what you tell them. The problem with computers is that they do EXACTLY what you tell them.
0 Kudos
Reply
Brian DelPizzo
Frequent Advisor

‎07-16-2003 10:40 AM

‎07-16-2003 10:40 AM

Re: Why doesn't this work!?!

I have used Sudo to grant htis option to my Operators and certain admins for years. It works great. Also be sure to fully qualify the commands in your script. A user could modify their path and call a local file called lpshut as root.
0 Kudos
Reply
Francesco Campalastri
Frequent Advisor

‎07-16-2003 08:23 PM

‎07-16-2003 08:23 PM

Re: Why doesn't this work!?!

I think, I'm not shure, that you can't give setuid bit to a shell script.

The script will not will run with the setuid but the single script child not.

You could write a imilar C source, compile it and give setuid to the executable. It should work.



Again, theese are only suggestions, I an not shure about the setuid mechanism.
0 Kudos
Reply
Ollie R
Respected Contributor

‎07-16-2003 08:36 PM

‎07-16-2003 08:36 PM

Re: Why doesn't this work!?!

Hi Tim,

Further to Francesco's response above, the setuid script will run as EUID (effective uid) of root. This is not enough permissions to run the lp* commands.

As the other suggestions state, consider using "sudo" or "sam" to achieve your aims.

Ollie.
To err is human but to not award points is unforgivable
0 Kudos
Reply
Tim D Fulford
Honored Contributor

‎07-17-2003 12:45 AM

‎07-17-2003 12:45 AM

Solution

Re: Why doesn't this work!?!

Hi

You HAVE to run set UIDs to rot through a C program "wrapper". There are loads listed on the forum

e.g. Darrel's comment
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xeb5a1012aa92d5118ff10090279cd0f9,00.html

I've attached his prog

Regards

Tim
-
Reply
Tim D Fulford
Honored Contributor

‎07-17-2003 12:46 AM

‎07-17-2003 12:46 AM

Re: Why doesn't this work!?!

try again...
-
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.