[Top] [All Lists]

RE: [NV-L] Root access

To: "Tivoli NetView Discussions" <nv-l@lists.ca.ibm.com>
Subject: RE: [NV-L] Root access
From: "Kain, Becki \(B.\)" <bkain1@ford.com>
Date: Mon, 14 May 2007 09:48:37 -0400
Delivery-date: Mon, 14 May 2007 14:49:58 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
Hop-count: 1
In-reply-to: <OF58AC4BC8.95900DFC-ON852572DB.0048E692-852572DB.004ABDE2@us.ibm.com>
List-help: <mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id: Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post: <mailto:nv-l@lists.ca.ibm.com>
List-subscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
Reply-to: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender: nv-l-bounces@lists.ca.ibm.com
Thread-index: AceWLQ6FdjwI4p8LSva0dFGlo8iRkwAATgUw
Thread-topic: [NV-L] Root access
sudo will not work on some *nix'es because the ability to bring in libraries is turned off for security reasons.  Had Netview been compiled as static, and not dynamic, this would not be an issue.
Netcool, afaik, does not require root.  Is IBM going to change it so that it will, based on your second paragraph?

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of James Shanks
Sent: Monday, May 14, 2007 9:36 AM
To: Tivoli NetView Discussions
Subject: RE: [NV-L] Root access

Perhaps addtrap does core under some conditions under sudo, though offhand I don't know why that should be. addtrap is looking for a uid of 0 and will exit if that's not the user id of the user who invoked it. I don't know whether sudo on Linux provides a uid of zero or not. Really I have no idea how sudo actually works.

I have no suggestions for how to avoid using root, but I think this issue stems largely from the fact that most UNIX admins are ignorant of the power of NetView. If you let a non-root user configure traps in NetView, then you have given him or her complete authority to do anything they like. All you have to do is configure trapd.conf, with addtrap or xnmtrap or even vi if you know what you are doing, to execute any script you write or any command you like for the Node Up trap and then issue "event" from the command line. The default event is "Node Up" and when trapd gets it, he will dutifully issue that command, and since he has root authority, he becomes the slave of whomever has the power to configure him. So addtrap is a powerful tool that will let whomever has the authority to use it, alter the system in any way they like. This should not be news to any experienced NetView admin, and has been posted in this forum before.

Warning! Personal opinion follows. <soapbox >
The decision not to give the NetView admin root access is purely political; it has no technical basis. It just a matter of corporate turf wars, "You aren't in our group so you can't have access." IBM's position, so far as I know, still remains that the NetView administrator should be the UNIX admin for the NetView box, and that companies should align their political boundaries with what works not with some arbitrary org chart.
</soapbox off>

James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
Inactive hide details for "Kain, Becki \(B.\)" <bkain1@ford.com>"Kain, Becki \(B.\)" <bkain1@ford.com>

          "Kain, Becki \(B.\)" <bkain1@ford.com>
          Sent by: nv-l-bounces@lists.ca.ibm.com

          05/14/2007 09:05 AM
          Please respond to
          Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>


"Tivoli NetView Discussions" <nv-l@lists.ca.ibm.com>



RE: [NV-L] Root access

Yes, but in my experiences, sudo does not work for all commands (addtrap, for one, core dumps on it)

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of Evans, Bill
Friday, May 11, 2007 5:02 PM
Tivoli NetView Discussions
RE: [NV-L] Root access

I don't think there is a technical explanation or a problem. It's just some fuzzy wording left over from long ago when only "root" had "root" authority. It's been a couple months since we put a test instance of NV 7.1.5 in place on RH 4 and my memory may not be working well, but as I remember it ...

The character string "root" is meaningless. The authority is the key. I log into the system where NetView will reside with my normal user connection then so a SUDO to get administrator (root) authority, change directory to where I've copied my media from the disks ( /usr/NV_media/NV-Base-715/BASE_CD/NetView) and proceed to issue the "./instalnv -k SERVER [-u] [-q]" command.

"Real soon now" we'll be putting 7.1.5 into production. It's been working well on the test machine. Our system support group is busily removing unused packages and tying up security threads on the RH 4 install so we can proceed.

Bill Evans

From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com] On Behalf Of REAMD@nationwide.com
Friday, May 11, 2007 10:08 AM
Tivoli NetView Discussions
[NV-L] Root access

Hi All,
Can someone please provide me a technical explanation as to why you need to be logged on as 'root' to install Netview? I currently have a new Solaris 10 box that Im going to load Netview 7.1.5 on and my Unix team does not want to give me the root password. They have given me 'sudo root' and with sudo you already have the same level of access as the Unix Systems Administrators and can grab a root shell as needed. The only location the root user can log into a server is on the serial console. Ssh into the server as root and running the su command will not work per the ITRM Unix security template.

Thanks, Dave _______________________________________________
NV-L mailing list
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only)

NV-L mailing list
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)
<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web