nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NV 5.1.1 non-root administrator

from [Lee, Richard FTC] [Permanent Link][Original]
To: nv-l@lists.tivoli.com
Subject: Re: NV 5.1.1 non-root administrator
From: "Lee, Richard FTC" <Richard.Lee.FTC@FMR.COM>
Date: Tue, 25 Jan 2000 07:40:28 -0500 
Leslie,
        Has anything else been published regarding NetView & sudo

Thanks
Rich

> -----Original Message-----
> From: Leslie Clark [SMTP:lclark@US.IBM.COM]
> Sent: Saturday, September 18, 1999 10:47 AM
> To:   NV-L@UCSBVM.UCSB.EDU
> Subject:      Re: NV 5.1.1 non-root administrator
>
>
>
> I have a customer who has been forced to use the sudo method and has had
> it in
> place for several months, so they should have found everything by now.
> I've
> asked
> them and they have agreed to provide their configuration so I can share it
> with
> the greater Netview community. Now, it will take some bugging on my part
> to get
> them to follow through, but I can do that. I'm good at that. Watch this
> space...
>
> Cordially,
>
> Leslie A. Clark
> IBM Global Services - Systems Mgmt & Networking
>
>
> Thanks James, thought I'd give it a shot. I am trying to build up the
> ammunition on the request for root access.
>
>
>
>
> From: James Shanks <James_Shanks@TIVOLI.COM> on 09/17/99 02:01 PM
>
> Please respond to Discussion of IBM NetView and POLYCENTER Manager on
>       NetView <NV-L@UCSBVM.UCSB.EDU>
>
> To:   NV-L@UCSBVM.UCSB.EDU
> cc:
> Client:
> Subject:  Re: NV 5.1.1 non-root administrator
>
>
>
>
>
>
> Ken -
>
> You are asking for knowledge I don't have.   All I know is what I have
> seen
> in
> the code.  But I haven't set up any test cases trying to find out if the
> function will work under sudo or if you change the directory permissions
> or
> whatever. We do not test circumventions to the normal way we ship, so you,
> and
> everyone else who wants to do (or has to do)  this sort of thing is on his
> or
> her own.    Sorry.
>
> And I realize that you are a victim of circumstance but ...
> I just don't understand why (a) they cannot let you run your own box as
> long as
> you are 100% responsible for what happens on it or (b) they cannot just
> induct
> you into the inner circle.  Why can't NetView admin, network admin, and
> UNIX
> admin, all be part of the same trusted group? Have they not gotten the
> 90's
> notion yet that the coputer  is the network?  Option (b) seems the most
> common
> way to make this all work.
>
> James Shanks
> Tivoli (NetView for UNIX) L3 Support
>
>
>
> Ken Karasek <KGKARASE@HEWITT.COM> on 09/15/99 02:33:24 PM
>
> Please respond to Discussion of IBM NetView and POLYCENTER Manager on
> NetView
>       <NV-L@UCSBVM.UCSB.EDU>
>
> To:   NV-L@UCSBVM.UCSB.EDU
> cc:    (bcc: James Shanks/Tivoli Systems)
> Subject:  Re: NV 5.1.1 non-root administrator
>
>
>
>
> James, I am one of the unfortunate NetView administrators that belongs to
> a
> shop that has a dedicated UNIX system administration unit and that does
> not
> grant root access to any one outside the sysadmin unit. I know.. I know...
> you don't need to say it... lived it , been there. Because one user among
> thousands of us found a back door in AIX and used it, all access has been
> severely limited.
>
> Since I have this constraint, can you provide a list of directories,
> commands, and/or files that I can request "sudo" access to in the event of
> required or perceived maintenance or troubleshooting. I currently have a
> small access list going, but I am constantly requesting additional sudo
> access as I run into problems with permission rights. It's not likely, but
> this has led me to request sudo to everything but starting a root shell.
> These requests are not always filled in a timely manner and can be very
> frustrating while I am on the phone with support and I am not able to
> access specific directories and/or files. I would like to address this
> problem as an opportunity to build "sudo" now so I can reduce my access
> problem when it is most needed. I realize that you could only provide
> NV/6000 information, but any insight you could provide from the wealth of
> product knowledge you have would be greatly appreciated.
>
> Thank you.
>
>
>
>
> From: James Shanks <James_Shanks@TIVOLI.COM> on 09/10/99 10:49 AM
>
> Please respond to Discussion of IBM NetView and POLYCENTER Manager on
>       NetView <NV-L@UCSBVM.UCSB.EDU>
>
> To:   NV-L@UCSBVM.UCSB.EDU
> cc:
> Client:
> Subject:  Re: NV 5.1.1 non-root administrator
>
>
>
>
> This is my two cents on this issue.   I usually get in trouble when I
> express my
> opinions on this list, because what I have to say often disturbs people,
> so
> let
> me say that this is my opinion and not official Tivoli doctrine.
>
> I feel compelled to comment on this because I think it needs to be said
> that
> NetView is designed (and this is about a decade old) around the assumption
> that
> the NetView administrator, like the NetView installer, will be, and should
> be,
> root.
>
> This assumption is not unreasonable.  The NetView box should only be
> running
> NetView and other network-related apps like Nways, CiscoView, and so on.
> Note
> that we are talking about an "administrator" here, one who changes or
> configures
> things, and thus decides how they should be run, as opposed to an
> "operator" who
> just uses what the administrator has set up.  We expect the NetView
> administrator to be totally in charge of the NetView box.  We expect him
> to
> start and stop any and all daemons( not just our own but snmpd and perhaps
> others too),  to expand the /usr filesystem before it gets full, to expand
> paging space as needed, and even to reboot the box as required.  We make
> no
> bones about this.   There are many, many places in NetView code where we
> explicitly check to see if the user running a  command is root.   You can
> see
> this in the even the script to start the GUI: netview.  If a required
> daemon is
> down, and root runs netview, it will be restarted, but otherwise not.  You
> cannot configure trapd.conf using xnmtrap nor  edit  production rulesets
> unless
> you are root, and I don't believe this is just a matter of permissions.
> (I
> could be wrong of course or perhaps you could find a way around that too).
>
> Now I am glad that Leslie knows a way that the Tivoli desktop functions
> can
> be
> performed by a non-root user, and that's fine if everything you ever want
> to do
> is provided in the desktop GUI.  But I doubt that it is.  And sooner or
> later I
> think you will need to be root to do something to the box on behalf of
> NetView.
> If you don't like this, then you can complain to development via a note to
> netview@tivoli.com when you run into such a problem, but as of right now,
> these
> are the facts, and we have no stated direction to provide for a
> pseudo-root
> user
> to do everything you might need to do to administer NetView.  Besides,
> even
> if
> we did, it would then ultimately be only a question of semantics, because
> if the
> pseudo-root user gets authority to do absolutely everything he might need
> to do,
> then he might as well be called "root".
>
> One man's opinion, and speaking only for myself, of course, the NetView
> administrator should be root.  Else you had better be real good friends
> with
> whoever has that authority and make sure that they are available whenever
> you
> are.
>
> James Shanks
> Tivoli (NetView for UNIX) L3 Support
>
> ---------------------- Forwarded by James Shanks/Tivoli Systems on
> 09/10/99
> 11:24 AM ---------------------------
>
>
> Leslie Clark <lclark@US.IBM.COM> on 09/09/99 01:49:59 PM
>
> Please respond to Discussion of IBM NetView and POLYCENTER Manager on
> NetView
>       <NV-L@UCSBVM.UCSB.EDU>
>
> To:   NV-L@UCSBVM.UCSB.EDU
> cc:    (bcc: James Shanks/Tivoli Systems)
> Subject:  Re: NV 5.1.1 non-root administrator
>
>
>
>
>
>
> Alain, this is a pretty painful process at sites where there are very
> strict
> rules about the use of root.  You just keep o finding things that you need
> root for. The simplest approach is to take advantage of the Tivoli
> Framework
>  facilities, if your security folks will accept it. Here's how:
>
> You Create a Tivoli Administrator with only the NetviewServer
> balloon-thing
> on it. Under Logins, you put the unix login of your non-root
> administrator,
> perhaps
> limiting it to <userid>@<hostname>. So when that userid invokes 'tivoli'
> they,
> will
> get that desktop, and only that user can get that desktop. Under
> Properties,
> where it says user and group, you put root and system or something. So
> functions
> you execute from that Desktop will execute as root, but you never have to
> know
> the
> root password,  and you cannot execute anything except the menu functions
> on the
> NetviewServer  icon.
>
> This passes muster with all customers except those who object to having
> any processes running under root except operating system processes,
> and they are a real minority.
>
> Cordially,
>
> Leslie A. Clark
> IBM Global Services - Systems Mgmt & Networking
>
>
>
>
>
> (NV 5.1.1 on 1IX 4.2.1)
>
> Hi all,
>
> Due to extensive security, we have to create a user who will be the
> NetView
> administrator; some permissions of files can be changed to satisfy this
> request (netview user security, trapd.conf, ...) but what about daemons
> management (configure, maintain on the Tivoli desktop, start, stop,
> options,
> ...) ? Is this possible ?
>
> Thanks
>
> Alain
> -----------------------
> Alain Menezes
> ASLK-CGER Services GIE                          *:  +32 2 228.55.74
> Rue Foss
>
>
>
>
>
>
>
>
>
>
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: NV 5.1.1 non-root administrator, Lee, Richard FTC <=
Previous by Date:  Re: Lobotomy, Leslie Clark
Next by Date:  Re: Different Link address in control desk, Leslie Clark
Previous by Thread:  Tivoli Events processeing, Michael Bock
Next by Thread:  X.25 Management with Netview, Nochta, Zoltan
Indexes:  [Date] [Thread] [Top] [All Lists]

Archive operated by Skills 1st Ltd

See also: The NetView Web