RE: [NV-L] Running Netview as with limited root access.
2007-02-08 15:22:25
The repercussions are that if non-root
users can configure traps, then you have given them root access through
the back door. Take any command you want, configure "Node Up"
to execute it as a command for automatic action. The execute "event
-h test1" and your command will be executed by ovactiond with
root authority. It's just that simple. There is a reason why
we recommend that the NetView administrator have root authority and lock
down every thing so that only root can use it.
The decision not to give the NetView
administrator root authority is a political one and, in my opinion, an
unnecessary burden on all concerned.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
"Sean Lawrence"
<Sean.Lawrence AT cantire DOT com>
Sent by: nv-l-bounces AT lists.ca.ibm DOT com
02/08/2007 11:43 AM
Please respond to
Tivoli NetView Discussions <nv-l AT lists.ca.ibm DOT com> |
|
To
| "Tivoli NetView Discussions"
<nv-l AT lists.ca.ibm DOT com>
|
cc
|
|
Subject
| RE: [NV-L] Running Netview as with limited
root access. |
|
I was able to open the permissions
on the trapd.conf and the mib2trap utility and that allowed me to add traps
and configure them in nv6000. I just don’t know what the repercussions
of that are.
Sean Lawrence
Systems Automation Technical
Specialist
905-790-5728
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of Kain, Becki
(B.)
Sent: February 8, 2007 10:49 AM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Running Netview as with limited root access.
we do this now. we relay
on the tivoli framework to give up access, when we need root. you
will NOT be able to add mibs, as far as I can tell, nor add traps, with
sudo. you get a memory fault when you try that.
good luck
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of Sean Lawrence
Sent: Thursday, February 08, 2007 10:22 AM
To: Tivoli NetView Discussions
Subject: [NV-L] Running Netview as with limited root access.
Our group here does not have root
access to our Netview installation.
We have discussed options with
our AIX sysadmin.
We can define sudo rights to start/stop
Netview.
I have identified the following
commands we need sudo for:
ovstart
ovstop
netnmrc
nv6000
We would like to change group ownership
to the /usr/OV directory so that our regular users can modify config files.
Has anyone done this?
Is there any danger in modifying
group permissions on /usr/OV?
Are there any other executable
files I should add to the sudo list?
Sean Lawrence
Systems Automation Technical
Specialist
905-790-5728_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
|
|
|