John, I think this is an issue of how processes work in *nix, and how Universe looks at the account. Whether you execute sudo as a "new" process or "replace" the current process with the command you are executing (via "exec"), uv is running as root (you can do SH -c "ps -ef | grep uv" to see the process ownership). This looks like what uv is picking up for @LOGNAME.
I'm not sure there is a way around this (I'm not that familiar with the intricacies of sudo) from the OS side. I wonder, however, if it might be possible to incorporate this into your basic programs. I'm guessing that the "root" functions that you need are shell commands and not Universe basic programs. If this is the case, to run the "lastb" command (which needs rood privileges; at least, in Linux...been a couple years since I've worked in HP-UX), you can do SH -c "sudo lastb", for example. If this is the case, and depending on the robustness of the sudo command in HP-UX, you can also address some of the security issues by specifying only those commands that your developers need to be able to run. If, however, it is to run basic programs, you might be able to create the concept of a "root equivalency" file. We had this in our legacy ERP system. Create a file that has read-only access from most accounts, with a record that lists each account that you want to have root privileges. This could be easy to do if you have a single subroutine that checks permission levels and returns a "yea" or "nay", or a nightmare if each program does its own checking. Hope this helps. Drew -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Rodgers Sent: Friday, April 02, 2010 8:57 AM To: U2 Users List Subject: Re: [U2] sudo for dummies I understand the security implications - and I can believe that there may be better approaches. I am just not sure what they would be which do not involve a lot of setup and management overhead. It is what we have in place so I have to work with it. This is for our development team only on a development platform. This is not done on the LIVE box. Programmers sometimes need root privileges for certain tasks. Setting passwords for test users etc. This is why we allow this level of access for a small number of identified users only by modifying the user login profile. John Rodgers MasterPack Project Team Masonite International Tel: (813) 2612396 ext 3036 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tom Whitmore Sent: Friday, April 02, 2010 8:45 AM To: U2 Users List Subject: Re: [U2] sudo for dummies Can you explain what you are trying to do? you are creating a huge security hole with sudo because once the user is logged into UniVerse as root they can shell out, as root, and do whatever they would like to as root. If you want to have a user that can perform UniVerse admin role, check out the uniadmin user. I also believe U2 is making this more functional. Tom RATEX Business Solutions. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Rodgers Sent: Friday, April 02, 2010 8:08 AM To: U2 Users List Subject: [U2] sudo for dummies I have a problem with a developer login where we want to provide 'root' privileges on our DEV box. HP-UX B.11.11 U 9000/800 (tl) UniVerse 9.6 in Pick flavor This is done by changing the login profile to run something this: exec /usr/local.bin/sudo /usr/opt/uv/bin/uv This gives us 'root' access in UniVerse. For one user this is not working but I cannot spot any difference in his setup from anyone else's. The exec sudo (above) is changing the user id to root. For our other users the @LOGNAME in UniVerse does not change. Our login process relies on the @LOGNAME to perform some other checks which are now failing for this user. Can anyone explain why the user.id would be changed by 'sudo'. Is there some setting or switch for sudo where this is controlled? Alternatively, is there a UniVerse option where the User Name might be somehow reset? (really clutching at straws here.) Cheers JR _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users
