nv-l

RE: [nv-l] Run NetView/6000 as non-root user

2002-09-04 07:07:07
Subject: RE: [nv-l] Run NetView/6000 as non-root user
From: James Shanks <jshanks AT us.ibm DOT com>
To: nv-l AT lists.tivoli DOT com
Date: Wed, 4 Sep 2002 07:07:07 -0400
It says all over the Admin Guide that you will need root authority to
perform certain tasks.
I will leave it to you to find them.  This is in keeping with the UNIX OS
security which requires you to be root to modify certain processes on the
box, snmpd for example, and NetView is an SNMP manager.

One good way to compromise your security is to allow a non-root user to
configure trapd.conf or to put rulesets in ESE.automation or
/usr/OV/conf/rulesets.  Then they can define an action which will execute
by a daemon with root authority when a trap is received. That allows the
savvy user to do whatever he or she wishes.

You can use sudo to protect the root password if you like, but changing
permissions on NetView files is not a supported operation, because we
cannot protect you if you do.  If you compromise the security of your
system by changing things that is not IBM/Tivoli's fault.

The politically correct thing to do is to understand that NetView is an
integrated extension of UNIX and that the NetView administrator is every
bit as important as the UNIX administrator.  The smart thing to do is to
make the UNIX admin and the NetView admin of the NetView box one and the
same person.  As Sun has been telling people for years, "The network is the
system."  In my opinion, it is time for all IT departments to recognize
that.


James Shanks
Level 3 Support  for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group


                                                                                
                        
                      Alek Barsky                                               
                        
                      <[email protected]            To:       nv-l AT lists.tivoli 
DOT com                          
                      rogers.com>              cc:                              
                        
                                               Subject:  RE: [nv-l] Run 
NetView/6000 as non-root user   
                      09/03/02 05:03 PM                                         
                        
                                                                                
                        
                                                                                
                        



There is a lot of the political pressure within organization to make it
happen.
It looks like it is "possible" to do without using "uid" 0,
however I am not sure what will be "hidden" application deficiencies?
What can potentially go broken if NetView is running as non-root user?
Thanks for the help.

Alek Barsky.


> -----Original Message-----
> From: Stephen Hochstetler [mailto:shochste AT us.ibm DOT com]
> Sent: Tuesday, September 03, 2002 4:38 PM
> To: Alek Barsky; nv-l AT lists.tivoli DOT com
> Subject: Re: [nv-l] Run NetView/6000 as non-root user
>
>
>
> Alek,
>
> There have been some previous discussions about this.  Check
> the archive
> for "root".
>
> The short answer is "no".   You would need to make the
> netview userid have
> uid of 0 for this to potentially work.
>
> Kind regards,
> Stephen Hochstetler              shochste AT us.ibm DOT com
> International Technical Support Organization  - Austin
> Office - 512-436-8564                      FAX - 512-436-9326
>
> ITSO redbooks at  http://www.redbooks.ibm.com
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com
For additional commands, e-mail: nv-l-help AT lists.tivoli DOT com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)






<Prev in Thread] Current Thread [Next in Thread>