sudo will not work on some *nix'es because the ability to bring in
libraries is turned off for security reasons. Had Netview been compiled
as static, and not dynamic, this would not be an issue.
Netcool, afaik, does not require root. Is IBM going to change it so
that it will, based on your second paragraph?
________________________________
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of James Shanks
Sent: Monday, May 14, 2007 9:36 AM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access
Perhaps addtrap does core under some conditions under sudo, though
offhand I don't know why that should be. addtrap is looking for a uid of
0 and will exit if that's not the user id of the user who invoked it. I
don't know whether sudo on Linux provides a uid of zero or not. Really I
have no idea how sudo actually works.
I have no suggestions for how to avoid using root, but I think this
issue stems largely from the fact that most UNIX admins are ignorant of
the power of NetView. If you let a non-root user configure traps in
NetView, then you have given him or her complete authority to do
anything they like. All you have to do is configure trapd.conf, with
addtrap or xnmtrap or even vi if you know what you are doing, to execute
any script you write or any command you like for the Node Up trap and
then issue "event" from the command line. The default event is "Node Up"
and when trapd gets it, he will dutifully issue that command, and since
he has root authority, he becomes the slave of whomever has the power to
configure him. So addtrap is a powerful tool that will let whomever has
the authority to use it, alter the system in any way they like. This
should not be news to any experienced NetView admin, and has been posted
in this forum before.
Warning! Personal opinion follows. <soapbox >
The decision not to give the NetView admin root access is purely
political; it has no technical basis. It just a matter of corporate turf
wars, "You aren't in our group so you can't have access." IBM's
position, so far as I know, still remains that the NetView administrator
should be the UNIX admin for the NetView box, and that companies should
align their political boundaries with what works not with some arbitrary
org chart.
</soapbox off>
James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
"Kain, Becki \(B.\)" <bkain1 AT ford DOT com>
"Kain, Becki \(B.\)" <bkain1 AT ford DOT com>
Sent by: nv-l-bounces AT lists.ca.ibm DOT com
05/14/2007 09:05 AM
Please respond to
Tivoli NetView Discussions <nv-l AT lists.ca.ibm DOT com>
To
"Tivoli NetView Discussions" <nv-l AT lists.ca.ibm DOT com>
cc
Subject
RE: [NV-L] Root access
Yes, but in my experiences, sudo does not work for all commands
(addtrap, for one, core dumps on it)
________________________________
From: nv-l-bounces AT lists.ca.ibm DOT com [
mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of Evans, Bill
Sent: Friday, May 11, 2007 5:02 PM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access
I don't think there is a technical explanation or a problem. It's just
some fuzzy wording left over from long ago when only "root" had "root"
authority. It's been a couple months since we put a test instance of NV
7.1.5 in place on RH 4 and my memory may not be working well, but as I
remember it ...
The character string "root" is meaningless. The authority is the key. I
log into the system where NetView will reside with my normal user
connection then so a SUDO to get administrator (root) authority, change
directory to where I've copied my media from the disks (
/usr/NV_media/NV-Base-715/BASE_CD/NetView) and proceed to issue the
"./instalnv -k SERVER [-u] [-q]" command.
"Real soon now" we'll be putting 7.1.5 into production. It's been
working well on the test machine. Our system support group is busily
removing unused packages and tying up security threads on the RH 4
install so we can proceed.
Bill Evans
________________________________
From: nv-l-bounces AT lists.ca.ibm DOT com [
mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of REAMD AT nationwide
DOT com
Sent: Friday, May 11, 2007 10:08 AM
To: Tivoli NetView Discussions
Subject: [NV-L] Root access
Hi All,
Can someone please provide me a technical explanation as to why you need
to be logged on as 'root' to install Netview? I currently have a new
Solaris 10 box that Im going to load Netview 7.1.5 on and my Unix team
does not want to give me the root password. They have given me 'sudo
root' and with sudo you already have the same level of access as the
Unix Systems Administrators and can grab a root shell as needed. The
only location the root user can log into a server is on the serial
console. Ssh into the server as root and running the su command will not
work per the ITRM Unix security template.
Thanks, Dave _______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
|
