My opinion, and I have given it many times here, is that the NetView
administrator should have root authority.
Much of the product is designed so that only someone with root authority
can do things like configure traps, create rulesets in the standard
directory, and so on.
We don't test with sudo, so I have no idea what the differences if any
will be. That is all I can say.
I agree with Jim Kellock that operators should not be root.
If you want a definitive statement from Tivoli, as opposed to my opinion,
then you will have to open a call to Support. Nothing I say here is
official. I am just another volunteer. In some areas I have more
knowledge than many users, in other areas, decidedly less.
James Shanks
Team Leader, Level 3 Support
Tivoli NetView for UNIX and NT
"Allison, Jason (JALLISON)" <JALLISON@arinc.com>@tkg.com on 06/15/2001
08:27:45 AM
Please respond to IBM NetView Discussion <nv-l@tkg.com>
Sent by: owner-nv-l@tkg.com
To: "'IBM NetView Discussion'" <nv-l@tkg.com>
cc:
Subject: RE: [NV-L] Framework - Netview question/discussion
Thanks for the response. I think I am in a different boat then most when I
discuss how I use Netview. I am not the Network Admin, I like to think of
myself as a Network Engineer/Software Engineer (network application
development). Here, Netview is used in our NOC to manage a large (IMO)
network of networks as well as an front-end interface to maintain status on
other apps/devices. My job entails improving our management product (other
apps outside of Netview) to make life easier on the system and for the
operators. With all that said, my issues are that the System Admin group
does own the "Software Integration and Test" Netview box. I -have never
had- root and after the meeting yesterday, it doesn't seem like I ever will
(*rant removed due to space limitations*).
I am required to use sudo to bring up, down, start, stop, status, -run
/usr/OV/bin/*-, Netview and its daemons. Since I have been here (~1mnth),
I
have never seen Framework up (scary) and I have been unable to bring
Framework up using sudo at all. In addition, Netview (and its daemons as I
understand it to be) is only ever run as sudo. In my other Netview
experience I have always had root when integrating this product with other
custom apps, this is new to me.
To directly address my concerns, they are the potential for Netview
failing,
crashing, stopping, -doing bad things-, overall not working as designed,
because we are integrating using sudo. Coming from a software background I
understand that something overlooked in the design stages that creeps up in
the implementation stages has the potential for utter disaster. The one
thing I have learned from my experience with Netview is that, "I will never
know everything about Netview". This is exactly why I am so worried.
I am hoping someone has official comments from Tivoli that discusses this
issue. Maybe someone has information with regards to functionality that
sudo -does not provide- to apps like Framework/Netview and its daemons.
I know this is a very sore subject, as well as discussed numerous times (as
I have seen in this lists archives as well as the other Tivoli lists I have
searched). I am also sure we could go on for weeks talking about this
topic
as well. For me, if there is no solid proof that Framework/Netview -will
not work- or -will not work properly- using sudo, it just makes my
engineering work a little more difficult.
Thanks again for the time taken to read this,
Jason
-----Original Message-----
From: Jim Kellock [mailto:jkellock@nc.rr.com]
Sent: Thursday, June 14, 2001 9:15 PM
To: IBM NetView Discussion
Subject: Re: [NV-L] Framework - Netview question/discussion
Many (most?) people may run Netview as root, but it' not necessary, and
from a security perspective, it's not a good idea. No Unix admin wants
users running applications as root. Only thing root needs to do for
NetView is start background daemons, and sudo is fine for that. If
there are problems with daemons falling over, you can script a solution
for that, although you should really find out what the problem is.
Having said that, the implication of your post is that you (the NetView
admin?) don't own the NetView machine. This is also not a good idea,
although I realize that these days many are running NetView on one node
of an SP owned by another department, but if you are the NetView
administrator, you are not in the same category as a NetView user, and
you should have root access.
Your users, however, should not be running NetView as root. From the
administrator's point of view, if you can limit normal AIX users to one
NetView session per user, or at least limit NetView sessions to a small
number of users, it's much easier to figure out what's going on, should
you be called to sort out a problem with a session, if can identify the
user who owns each ovwbinary session.
This is not a cut-and-dried subject, and you may want to sit down and
figure out your management scheme before you commit to anything.
I'm sure others will offer their opinions as well.
"Allison, Jason (JALLISON)" wrote:
>
> List:
>
> I am sure most have us have been through this with our System Admin
group.
> I am trying to find out if there are any know problems/bugs/concerns with
> running Framework and Netview via the "Su Do" Unix utility `sudo` and not
> from user root.
>
> Does Tivoli have an "official" position on this subject?
>
> Thanks for your time,
> Jason
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
_________________________________________________________________________
NV-L List information and Archives: http://www.tkg.com/nv-l
|