[INUG-Users] PA as non-root

ashish nagar netcoolashish at googlemail.com
Sat Jul 7 23:58:39 EDT 2007 

Hi All,

The simple way to run the nco_pad as a non root user is this

nco_pad -configfile /opt/netcool/omnibus/etc/nco_pa.conf -name NCO_PA -user
<username> -authenticate PAM

It will as you for the password so please do enter the password. All also
see that the non root user is the part of ncoadmin group.

Regards
Ashish Nagar


On 7/5/07, Troy Clifton <tclifton at hotels.com> wrote:
>
> Yes as Alex has pointed out I am obviously mistaken and sticky bit and
> setuid are a bit different than what I have been informed.  I believe
> based on a few replies to my posting that Setuid is what I am referring
> to.  This is what I have done in the past and runs PA as root, but you
> can do it as nonroot user and still have access to the utilities PA
> offers.
> Hope this helps
>
> TC
>
> -----Original Message-----
> From: users-bounces at netcoolusers.org
> [mailto:users-bounces at netcoolusers.org] On Behalf Of Gothmolly
> Sent: Thursday, July 05, 2007 11:54 AM
> To: users at netcoolusers.org
> Subject: Re: [INUG-Users] PA as non-root
>
> Are you talking the STICKY bit or the SUID bit?   The SUID bit
> basically runs PA as root, but lets you do it as nonroot.
>
> Ed
>
> On 7/5/07, Troy Clifton <tclifton at hotels.com> wrote:
> >
> >
> >
> > I will reply one more time with this solution that I have used at
> several
> > different companies and it has never failed me.  There are a few
> things to
> > consider.
> >
> > 1. If you are using PAM authentication, you will use your local user
> account
> > to do status, stop, start, shutdown, etc. as long as you are in the
> ncoadmin
> > user group.
> >
> > 2. The root user must be in the ncoadmin group
> >
> > 3. It is best to make the /opt/netcool directory recursively owned by
> some
> > other user like "netcool:ncoadmin".
> >
> > 4. the nco_pad binary must be owned by "root:ncoadmin" - that is the
> root
> > user in the ncoadmin user group.
> >
> > 5. the nco_pad binary must have a sticky bit set for permissions in
> order
> > for this to work.  (if you aren't familiar with sticky bit setting,
> ask your
> > Unix admin or google it and you should find some answers)
> >
> > 6. Once you setup things like this, you can start the Process Control
> Agent
> > process with a similar command as below:
> >
> >             a.   nco_pad -configfile
> > /opt/netcool/omnibus/etc/NAME_PA.conf -authenticate PAM
> > -name NAME_PA
> >
> > 7.  This is assuming you are using PAM to authenticate and when you
> try to
> > do a status on it or similar, you can do the following:
> >
> >             a. nco_pa_status -server NAME_PA -user usernamehere and
> when it
> > prompts you for your password, you will enter your authentication
> password
> > (in most cases Active Directory).
> >
> > 8.  When you ps -ef| grep nco_pad you will notice that the nco_pad is
> > actually running as root, but you will be able to do status with your
> PAM
> > authentication module you are using.
> >
> >
> >
> > I hope this is clear and helps, b/c it really is that simple.
> >
> >
> >
> >
> >
> >
> >
> >
> > TC
> > ________________________________
> >
> >
> > From: users-bounces at netcoolusers.org
> [mailto:users-bounces at netcoolusers.org]
> > On Behalf Of Alex Greenbank
> > Sent: Thursday, July 05, 2007 6:51 AM
> > To: users at netcoolusers.org
> > Subject: Re: [INUG-Users] PA as non-root
> >
> >
> >
> >
> > Hello,
> >
> > If you google for:
> >         pam non-root authentication
> > it should point you in the right direction for the information
> required
> > to obtaining, compiling and configuring the PAM modules to allow
> non-root
> > processes to perform authentication against the password file.
> >
> > This is usually done with a setuid-root binary that can be called
> > by the PAM module to check the supplied password against the entry in
> > /etc/shadow file.
> >
> > There is no "just stick this in your pam config file" answer. If you
> > have a sysadmin you need to discuss it with them.
> >
> > PAM with nco_pad running as root is relatively easy, and descriptions
> > for what to do to make it work do exist.
> >
> > But non-root is much trickier. For a halfway house solution, you could
> > consider the pam_pwdfile module which, although it isn't tied directly
> > to /etc/passwd and /etc/shadow it will allow you to get non-root
> > authentication up and running reasonably quickly. (The pam_pwdfile
> > module allows you to specify your own location for a password file,
> > so you can have a separate one to that of the system.)
> >
> > We'd love to have a "tested, documented, certified, etc" method of
> > doing this, but it's just not that simple with PAM and everyones
> > slightly different setups and security requirements.
> >
> > Ta,
> >
> > -Alex
> >
> > users-bounces at netcoolusers.org wrote on 05/07/2007 12:22:02:
> > > That would be nice. I have everything running under PA as a non root
> > > user, but I can't communicate to it. I have to use kill -9 to
> > > manipulate the processes, like kill PA first, etc. I am running on
> > > linux and I am certain it has to do with pam.d, but the archives and
> > > manual haven't helped me get past this, combined with the fact I
> have
> > > to give advance notice for what the SysAdmin has to type as root and
> > > there can't be any guess work. Not being able to bang on it til it
> > > works is a real impediment.
> > >
> > >
> > > On 7/4/07, Robin Harwani <Robin.Harwani at tcs.com> wrote:
> > > > Please can someone give an elaborate answer.
> > > >
> > > > Thanks in advance
> > > > Robin
> > > > =====-----=====-----=====
> >
> >
> > ________________________________
> >
> >
> >
> >
> > Unless stated otherwise above:
> > IBM United Kingdom Limited - Registered in England and Wales with
> number
> > 741598.
> > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
> 3AU
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Sent by the netcoolusers.org "users" mailing list
> > Post: users at netcoolusers.org
> > Unsubscribe: users-unsubscribe at netcoolusers.org
> > Search: http://lists.netcoolusers.org/archives/users/
> >
> >
>
>
> --
> Back to the Earth I screamed, and no one listened.
> Back to the Earth I lived, and they all followed.
> _______________________________________________
> Sent by the netcoolusers.org "users" mailing list
> Post: users at netcoolusers.org
> Unsubscribe: users-unsubscribe at netcoolusers.org
> Search: http://lists.netcoolusers.org/archives/users/
> _______________________________________________
> Sent by the netcoolusers.org "users" mailing list
> Post: users at netcoolusers.org
> Unsubscribe: users-unsubscribe at netcoolusers.org
> Search: http://lists.netcoolusers.org/archives/users/
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the Users mailing list