[INUG-Users] PA as non-root

Gothmolly gothmolly at gmail.com
Thu Jul 5 12:53:59 EDT 2007 

Are you talking the STICKY bit or the SUID bit?   The SUID bit
basically runs PA as root, but lets you do it as nonroot.

Ed

On 7/5/07, Troy Clifton <tclifton at hotels.com> wrote:
>
>
>
> I will reply one more time with this solution that I have used at several
> different companies and it has never failed me.  There are a few things to
> consider.
>
> 1. If you are using PAM authentication, you will use your local user account
> to do status, stop, start, shutdown, etc. as long as you are in the ncoadmin
> user group.
>
> 2. The root user must be in the ncoadmin group
>
> 3. It is best to make the /opt/netcool directory recursively owned by some
> other user like "netcool:ncoadmin".
>
> 4. the nco_pad binary must be owned by "root:ncoadmin" – that is the root
> user in the ncoadmin user group.
>
> 5. the nco_pad binary must have a sticky bit set for permissions in order
> for this to work.  (if you aren't familiar with sticky bit setting, ask your
> Unix admin or google it and you should find some answers)
>
> 6. Once you setup things like this, you can start the Process Control Agent
> process with a similar command as below:
>
>             a.   nco_pad –configfile
> /opt/netcool/omnibus/etc/NAME_PA.conf –authenticate PAM
> –name NAME_PA
>
> 7.  This is assuming you are using PAM to authenticate and when you try to
> do a status on it or similar, you can do the following:
>
>             a. nco_pa_status –server NAME_PA –user usernamehere and when it
> prompts you for your password, you will enter your authentication password
> (in most cases Active Directory).
>
> 8.  When you ps –ef| grep nco_pad you will notice that the nco_pad is
> actually running as root, but you will be able to do status with your PAM
> authentication module you are using.
>
>
>
> I hope this is clear and helps, b/c it really is that simple.
>
>
>
>
>
>
>
>
> TC
> ________________________________
>
>
> From: users-bounces at netcoolusers.org [mailto:users-bounces at netcoolusers.org]
> On Behalf Of Alex Greenbank
> Sent: Thursday, July 05, 2007 6:51 AM
> To: users at netcoolusers.org
> Subject: Re: [INUG-Users] PA as non-root
>
>
>
>
> Hello,
>
> If you google for:
>         pam non-root authentication
> it should point you in the right direction for the information required
> to obtaining, compiling and configuring the PAM modules to allow non-root
> processes to perform authentication against the password file.
>
> This is usually done with a setuid-root binary that can be called
> by the PAM module to check the supplied password against the entry in
> /etc/shadow file.
>
> There is no "just stick this in your pam config file" answer. If you
> have a sysadmin you need to discuss it with them.
>
> PAM with nco_pad running as root is relatively easy, and descriptions
> for what to do to make it work do exist.
>
> But non-root is much trickier. For a halfway house solution, you could
> consider the pam_pwdfile module which, although it isn't tied directly
> to /etc/passwd and /etc/shadow it will allow you to get non-root
> authentication up and running reasonably quickly. (The pam_pwdfile
> module allows you to specify your own location for a password file,
> so you can have a separate one to that of the system.)
>
> We'd love to have a "tested, documented, certified, etc" method of
> doing this, but it's just not that simple with PAM and everyones
> slightly different setups and security requirements.
>
> Ta,
>
> -Alex
>
> users-bounces at netcoolusers.org wrote on 05/07/2007 12:22:02:
> > That would be nice. I have everything running under PA as a non root
> > user, but I can't communicate to it. I have to use kill -9 to
> > manipulate the processes, like kill PA first, etc. I am running on
> > linux and I am certain it has to do with pam.d, but the archives and
> > manual haven't helped me get past this, combined with the fact I have
> > to give advance notice for what the SysAdmin has to type as root and
> > there can't be any guess work. Not being able to bang on it til it
> > works is a real impediment.
> >
> >
> > On 7/4/07, Robin Harwani <Robin.Harwani at tcs.com> wrote:
> > > Please can someone give an elaborate answer.
> > >
> > > Thanks in advance
> > > Robin
> > > =====-----=====-----=====
>
>
> ________________________________
>
>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
>
> _______________________________________________
> Sent by the netcoolusers.org "users" mailing list
> Post: users at netcoolusers.org
> Unsubscribe: users-unsubscribe at netcoolusers.org
> Search: http://lists.netcoolusers.org/archives/users/
>
>


-- 
Back to the Earth I screamed, and no one listened.
Back to the Earth I lived, and they all followed.

More information about the Users mailing list