RE: [NV-L] Root access
2007-05-14 10:10:02
The Precision product and its pre-coreqs
generally require root for installation and configuration. However, they
can be configured to run (mostly) as a non-root account, and can then be
administered (stop/started, etc) by a non-root account. Certain changes
that involve the operating system would of course need to be made by root,
but generally speaking, the files can be owned by the non-root account.
This is understood by development to be a good thing, and changing
it has not been in any of the futures that I have seen.
Changing Netview on the otherhand, while
it was understood to be a good thing, was never feasible since the product
had been designed to be run that way from day one.
Cordially,
Leslie A. Clark
IT Services Specialist, Network Mgmt
Information Technology Services Americas
IBM Global Services
(248) 552-4968 Voicemail, Fax, Pager
"Kain, Becki \(B.\)"
<bkain1 AT ford DOT com>
Sent by: nv-l-bounces AT lists.ca.ibm DOT com
05/14/2007 09:48 AM
Please respond to
Tivoli NetView Discussions <nv-l AT lists.ca.ibm DOT com> |
|
To
| "Tivoli NetView Discussions"
<nv-l AT lists.ca.ibm DOT com>
|
cc
|
|
Subject
| RE: [NV-L] Root access |
|
sudo will not work on some *nix'es
because the ability to bring in libraries is turned off for security reasons.
Had Netview been compiled as static, and not dynamic, this would
not be an issue.
Netcool, afaik, does not require
root. Is IBM going to change it so that it will, based on your second
paragraph?
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com] On Behalf Of James Shanks
Sent: Monday, May 14, 2007 9:36 AM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access
Perhaps addtrap does core under some conditions under sudo,
though offhand I don't know why that should be. addtrap is looking for
a uid of 0 and will exit if that's not the user id of the user who invoked
it. I don't know whether sudo on Linux provides a uid of zero or not. Really
I have no idea how sudo actually works.
I have no suggestions for how to avoid using root, but I think this issue
stems largely from the fact that most UNIX admins are ignorant of the power
of NetView. If you let a non-root user configure traps in NetView, then
you have given him or her complete authority to do anything they like.
All you have to do is configure trapd.conf, with addtrap or xnmtrap or
even vi if you know what you are doing, to execute any script you write
or any command you like for the Node Up trap and then issue "event"
from the command line. The default event is "Node Up" and when
trapd gets it, he will dutifully issue that command, and since he has root
authority, he becomes the slave of whomever has the power to configure
him. So addtrap is a powerful tool that will let whomever has the authority
to use it, alter the system in any way they like. This should not be news
to any experienced NetView admin, and has been posted in this forum before.
Warning! Personal opinion follows. <soapbox >
The decision not to give the NetView admin root access is purely political;
it has no technical basis. It just a matter of corporate turf wars, "You
aren't in our group so you can't have access." IBM's position, so
far as I know, still remains that the NetView administrator should be the
UNIX admin for the NetView box, and that companies should align their political
boundaries with what works not with some arbitrary org chart.
</soapbox off>
James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
"Kain,
Becki \(B.\)" <bkain1 AT ford DOT com>
"Kain, Becki \(B.\)" <bkain1 AT ford DOT com>
Sent by: nv-l-bounces AT lists.ca.ibm DOT com
05/14/2007 09:05 AM
Please respond to
Tivoli NetView Discussions <nv-l AT lists.ca.ibm DOT com> |
|
|
Yes, but in my experiences, sudo does not work for all commands (addtrap,
for one, core dumps on it)
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com]
On Behalf Of Evans, Bill
Sent: Friday, May 11, 2007 5:02 PM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access
I don't think there is a technical explanation or a problem. It's just
some fuzzy wording left over from long ago when only "root" had
"root" authority. It's been a couple months since we put a test
instance of NV 7.1.5 in place on RH 4 and my memory may not be working
well, but as I remember it ...
The character string "root" is meaningless. The authority is
the key. I log into the system where NetView will reside with my normal
user connection then so a SUDO to get administrator (root) authority, change
directory to where I've copied my media from the disks ( /usr/NV_media/NV-Base-715/BASE_CD/NetView)
and proceed to issue the "./instalnv -k SERVER [-u] [-q]" command.
"Real soon now" we'll be putting 7.1.5 into production. It's
been working well on the test machine. Our system support group is busily
removing unused packages and tying up security threads on the RH 4 install
so we can proceed.
Bill Evans
From: nv-l-bounces AT lists.ca.ibm DOT com
[mailto:nv-l-bounces AT lists.ca.ibm DOT com]
On Behalf Of REAMD AT nationwide DOT com
Sent: Friday, May 11, 2007 10:08 AM
To: Tivoli NetView Discussions
Subject: [NV-L] Root access
Hi All,
Can someone please provide me a technical explanation as to why you need
to be logged on as 'root' to install Netview? I currently have a new Solaris
10 box that Im going to load Netview 7.1.5 on and my Unix team does not
want to give me the root password. They have given me 'sudo root' and with
sudo you already have the same level of access as the Unix Systems Administrators
and can grab a root shell as needed. The only location the root user can
log into a server is on the serial console. Ssh into the server as root
and running the su command will not work per the ITRM Unix security template.
Thanks, Dave _______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l
(Browser access limited to internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L AT lists.ca.ibm DOT com
Unsubscribe:NV-L-leave AT lists.ca.ibm DOT com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
|
|
|