nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [nv-l] netmon- and ov-Commands Authorization

2002-04-16 12:19:16
Subject: Re: [nv-l] netmon- and ov-Commands Authorization
From: "James Shanks" <jshanks AT us.ibm DOT com>
To: nv-l AT lists.tivoli DOT com
Date: Tue, 16 Apr 2002 12:19:16 -0400 
It is the case that many NetView commands require root authority to 
execute and no amount of playing with the permissions will alter that. 
Some commands check the user's authority internally, just as they check to 
see whether nvsecd is running and whether a security policy involving 
nvsecd has been established. 
They have to check internally or else they are not truly secure.

Some users have implemented a sudo user  process to get around this,  but 
such action not supported by Tivoli.  If you can get it to work 
satisfactorily, fine, but then you do so at your own risk and Support will 
not assist you in getting it to work.  The reason is that certain commands 
can be used not only to compromise NetView but also the security of the 
box it is on, and perhaps even other boxes in your network.  In order to 
avoid security problems which might result in CERT advisories, a decision 
was made long ago to require that the NetView administrator have root 
authority.  It has always been thus.

My only concern in posting this is the issue of the message your non-root 
user receives when attempting to issue ovstart/ovstop.  My experience is 
that the message, both on 6.0.3 and 7.1, and later, is " <ovstart | ovstop 
> : must be run as super-user."    This is the message I always get. If 
you are getting anything else for ovstart/ovstop, then that sounds like a 
message catalog problem.    I haven't tried the variations of ovwperms. 

Hope this helps in some small way to explain this.

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
 





netview AT toddh DOT net (Todd H.)
04/16/2002 11:25 AM
Please respond to nv-l

 
        To:     "Haseneder, Martina" <martina.haseneder AT datev DOT de>
        cc:     nv-l AT lists.tivoli DOT com
        Subject:        Re: [nv-l] netmon- and ov-Commands Authorization

 

"Haseneder, Martina" <martina.haseneder AT datev DOT de> writes:
> -- 
> 
>       Hi there,
> 
> I need to authorize a single User to execute the 
> /usr/OV/bin/ovstop
>             ovstart
>             ovwperms
>  The files itself have execute for any user.
> Maybe the final button is in the nvsec_admin?

I'm not an expert on this by any stretch, but I think the issue is
that the daemons these commands interact with are very selective and
only want to work with "root"

> The other point is, that all non-root user get the message "netmon
> not running" although netmon IS running! 

I've seen this too when I mistakenly try things as non root. 

Hopefully others on the list will respond.  I strongly suspect that
the answer will involve the program "sudo" aka "superuser do"-- a unix
utility for allowing regular users to perform specific actions as the
superuser (root).

Best Regards, 
-- 
Todd H.
http://www.toddh.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com
For additional commands, e-mail: nv-l-help AT lists.tivoli DOT com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [nv-l] Netview 7.1 and Netview v2.3 OS390, Barr, Scott
Next by Date:  RE: [nv-l] Netview 7.1 and Netview v2.3 OS390, Paul Sandler
Previous by Thread:  Re: [nv-l] netmon- and ov-Commands Authorization, Todd H.
Next by Thread:  [nv-l] format statement for "severity", D'Apice, Dominic
Indexes:  [Date] [Thread] [Top] [All Lists]