Re: dsmc sched as another user
You are right, ksh script won't work -- BUT a compiled C program does work, with SUID. Don France Technical Architect -- Tivoli Certified Consultant San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Wichmann Sent: Thursday, May 16, 2002 10:15 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user Ya good point and I thought of that. Fortunately it's not a big issue here. The later suggestion about creating a program and setting SUID doesn't work. At least not a ksh script..That was the first thing I tried. So far only sudo works.. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w) -Original Message- From: Thomas Denier [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 8:34 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user > Try using sudo. > You can allow your non-root user execute only the dsmc command as root. I think this would allow the non-root user to execute dsmc as root with any operands, not just the 'sched' operand. This would be a serious security exposure. The non-root user could replace any file on the system with a copy of a different file or with an older version of the same file. If the non-root user had root permission on any other Unix client system the user could back up an arbitrary file there and restore it on the system where he or she was a non-root user. As far as I know, the only really safe way to do this is to write a program specifically to start the scheduler and make that program root owned, SUID, and executable by the user who needs to start the scheduler. Many Unix systems even today have a bug that makes SUID scripts dangerous. Unless you are certain that this bug is fixed on your system you will need to write the program in C or some other compiled language.
Re: dsmc sched as another user
Hello, You can use sudo to grant root access to the dsmc command to any user you define, or I think you can use the Users directive on the dsmc.sys file and put there all the users you allow to execute the command. = "Do or Do Not, there is no try" -Yoda. The Empire Strikes Back ___ Do You Yahoo!? Yahoo! Messenger Comunicacisn instantanea gratis con tu gente. http://messenger.yahoo.es
Re: dsmc sched as another user
Ya good point and I thought of that. Fortunately it's not a big issue here. The later suggestion about creating a program and setting SUID doesn't work. At least not a ksh script..That was the first thing I tried. So far only sudo works.. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w) -Original Message- From: Thomas Denier [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 8:34 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user > Try using sudo. > You can allow your non-root user execute only the dsmc command as root. I think this would allow the non-root user to execute dsmc as root with any operands, not just the 'sched' operand. This would be a serious security exposure. The non-root user could replace any file on the system with a copy of a different file or with an older version of the same file. If the non-root user had root permission on any other Unix client system the user could back up an arbitrary file there and restore it on the system where he or she was a non-root user. As far as I know, the only really safe way to do this is to write a program specifically to start the scheduler and make that program root owned, SUID, and executable by the user who needs to start the scheduler. Many Unix systems even today have a bug that makes SUID scripts dangerous. Unless you are certain that this bug is fixed on your system you will need to write the program in C or some other compiled language.
Re: dsmc sched as another user
Hmm good catch but it doesn't work.. I believe that's only for normal TSM dsmc client operations (i.e. backup/restore). If you don't specify that parameter the default behavior is all users can use TSM services. So by adding a name theoretically you limit who can use TSM services.. The problem with starting the TSM scheduler still fails even with the user id in there.. So far the only thing that's worked is sudo but as someone else pointed out, that's a security risk as it allows that user to then restore any file owned by root. Fortunately in our case that's not much of an issue as there are no normal users on this server nor is it accessible by anyone other then operations. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w) -Original Message- From: Prather, Wanda [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 8:36 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user I've never tried this on a LINUX client, but try putting the USERS option in the dsm.sys file: USERS myname yourname etc For *X clients, USERS specifies who (besides root) can execute dsm or dsmc. It's documented in the "Using the UNIX clients" book. -Original Message- From: Gerald Wichmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 9:14 PM To: [EMAIL PROTECTED] Subject: dsmc sched as another user On linux when starting the dsmc sched process you need to be root. Otherwise it says "ANS1817E Schedule function can only be run by a TSM authorized user." I'm trying to write a script that gets run by a non-root user to start the scheduler. Is it possible to get around this limitation somehow? I've tried chmod 4755 on dsmc and even that won't work. Looking up ANS1817E in the messages guide doesn't yield any useful information either. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w)
Re: dsmc sched as another user
I've never tried this on a LINUX client, but try putting the USERS option in the dsm.sys file: USERS myname yourname etc For *X clients, USERS specifies who (besides root) can execute dsm or dsmc. It's documented in the "Using the UNIX clients" book. -Original Message- From: Gerald Wichmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 9:14 PM To: [EMAIL PROTECTED] Subject: dsmc sched as another user On linux when starting the dsmc sched process you need to be root. Otherwise it says "ANS1817E Schedule function can only be run by a TSM authorized user." I'm trying to write a script that gets run by a non-root user to start the scheduler. Is it possible to get around this limitation somehow? I've tried chmod 4755 on dsmc and even that won't work. Looking up ANS1817E in the messages guide doesn't yield any useful information either. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w)
Re: dsmc sched as another user
> Try using sudo. > You can allow your non-root user execute only the dsmc command as root. I think this would allow the non-root user to execute dsmc as root with any operands, not just the 'sched' operand. This would be a serious security exposure. The non-root user could replace any file on the system with a copy of a different file or with an older version of the same file. If the non-root user had root permission on any other Unix client system the user could back up an arbitrary file there and restore it on the system where he or she was a non-root user. As far as I know, the only really safe way to do this is to write a program specifically to start the scheduler and make that program root owned, SUID, and executable by the user who needs to start the scheduler. Many Unix systems even today have a bug that makes SUID scripts dangerous. Unless you are certain that this bug is fixed on your system you will need to write the program in C or some other compiled language.
Re: dsmc sched as another user
Try using sudo. You can allow your non-root user execute only the dsmc command as root. = "Do or Do Not, there is no try" -Yoda. The Empire Strikes Back ___ Do You Yahoo!? Yahoo! Messenger Comunicacisn instantanea gratis con tu gente. http://messenger.yahoo.es
