It is the case that many NetView commands require root authority to
execute and no amount of playing with the permissions will alter that.
Some commands check the user's authority internally, just as they check to
see whether nvsecd is running and whether a security policy involving
nvsecd has been established.
They have to check internally or else they are not truly secure.
Some users have implemented a sudo user process to get around this, but
such action not supported by Tivoli. If you can get it to work
satisfactorily, fine, but then you do so at your own risk and Support will
not assist you in getting it to work. The reason is that certain commands
can be used not only to compromise NetView but also the security of the
box it is on, and perhaps even other boxes in your network. In order to
avoid security problems which might result in CERT advisories, a decision
was made long ago to require that the NetView administrator have root
authority. It has always been thus.
My only concern in posting this is the issue of the message your non-root
user receives when attempting to issue ovstart/ovstop. My experience is
that the message, both on 6.0.3 and 7.1, and later, is " <ovstart | ovstop
> : must be run as super-user." This is the message I always get. If
you are getting anything else for ovstart/ovstop, then that sounds like a
message catalog problem. I haven't tried the variations of ovwperms.
Hope this helps in some small way to explain this.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
netview AT toddh DOT net (Todd H.)
04/16/2002 11:25 AM
Please respond to nv-l
To: "Haseneder, Martina" <martina.haseneder AT datev DOT de>
cc: nv-l AT lists.tivoli DOT com
Subject: Re: [nv-l] netmon- and ov-Commands Authorization
"Haseneder, Martina" <martina.haseneder AT datev DOT de> writes:
> --
>
> Hi there,
>
> I need to authorize a single User to execute the
> /usr/OV/bin/ovstop
> ovstart
> ovwperms
> The files itself have execute for any user.
> Maybe the final button is in the nvsec_admin?
I'm not an expert on this by any stretch, but I think the issue is
that the daemons these commands interact with are very selective and
only want to work with "root"
> The other point is, that all non-root user get the message "netmon
> not running" although netmon IS running!
I've seen this too when I mistakenly try things as non root.
Hopefully others on the list will respond. I strongly suspect that
the answer will involve the program "sudo" aka "superuser do"-- a unix
utility for allowing regular users to perform specific actions as the
superuser (root).
Best Regards,
--
Todd H.
http://www.toddh.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com
For additional commands, e-mail: nv-l-help AT lists.tivoli DOT com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|