Re: recover root password
On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield <[EMAIL PROTECTED]> wrote: > Until the vendors change their approach, administrators are going to be > working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? I consider the default setup maybe the easiest way to get started, but not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. Yet, there is another alternative if you are not running on the lastest kernel/patchlevel and need to fix that NOW without a maintenance window. Find a non-harmfull exploit;-) The drawback is that you would want to fix that afterwards but that's what the maintenance window is for... /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 11:33 AM, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote: > So now I have no idea if > - is it possible to boot into single user mode easily from VM? > - the distributions do ask for a password (the root password) these > days before you get the shell in single user mode? The difference is in having a local console, so Intel distributions that provide this depend on physical access control (or how they wire up the local console into some network gear). But Linux virtual machines on z/VM do not have a console that is attractive to use for repairing the system. So existing solutions end up doing some rescue system that will have a network to let you ssh into the system. I have some concerns using real network IP address etc for that. We've been talking about virtual console switches, but I think it would be overkill considering the other options we already have. More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Rob -- Rob van der Heij Velocity Software GmbH http://velocitysoftware.com/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Help needed adding LCS Ethernet on a z9 for z/Linux LPAR (NO VM)
Sam, are your devices 0.0.f100, 0.0.f101 known, i.e. contained in the output for "lscss"? Are the modules cu3088 and lcs loaded, i.e. contained in the output for "lsmod"? Best regards, Ursula Braun, IBM Germany -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
Brad, That sounds like a great tip, I'll give it a try. I hadn't gone past the initial "choose a language" screen, both because some of the google hits said that was as far as you needed to go, and because I was afraid that if I gave it the location, it might destroy some of the data. I know it prompts before writing anything, but there are too many things I don't know about Linux on s390x, so I'm more than a bit paranoid. Thanks, -- Kelly F. Hickel Senior Product Architect MQSoftware, Inc. 952-345-8677 Office 952-345-8721 Fax [EMAIL PROTECTED] www.mqsoftware.com SEE BUSINESS WORK > -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Brad Hinson > Sent: Monday, April 14, 2008 5:10 PM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > Hi Kelly, > > You mentioned earlier that you're using the installer image. How far > into the install are you going before SSH'ing in to troubleshoot? If > you go past the point of entering the location of the stage 2 > environment (i.e. on the installation method screen, select > FTP/HTTP/NFS, enter the server and path, then select Next), the > installer will download or mount (depending on method) the stage 2 > image > containing the LVM tools. > > I'd recommend going through the install until the point where the VNC > server is started and it asks you to connect. At that point, SSH in a > second time (or press to get a shell prompt). You should see > that "/" is mounted from the stage 2 image (shown below as /dev/root), > and /usr/sbin/lvm will exist: > > -/bin/sh-3.00# mount | grep root > /dev/root on / type ext2 (rw) > > -/bin/sh-3.00# which lvm > /usr/sbin/lvm > > > -Brad > > On Mon, 2008-04-14 at 15:34 -0500, Kelly F. Hickel wrote: > > /usr only contains the lib64 directory. > > > > > > -- > > > > Kelly F. Hickel > > Senior Product Architect > > MQSoftware, Inc. > > 952-345-8677 Office > > 952-345-8721 Fax > > [EMAIL PROTECTED] > > www.mqsoftware.com > > SEE BUSINESS WORK > > > > > > > -Original Message- > > > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf > Of > > > Justin Payne > > > Sent: Monday, April 14, 2008 3:28 PM > > > To: LINUX-390@VM.MARIST.EDU > > > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > > > > > Do you see lvm in /usr/sbin? > > > > > > ~Justin > > > > > > Kelly F. Hickel wrote: > > > > Brad, > > > > I don't have any of those commands. What I've done is to to > a > > > > load from CDRom on the HMC and point it at a downloaded mirror of > > the > > > > s390x centos repo. Is there some other rescue mode that is more > > > useful > > > > than what I have > > > > > > > > The contents of /sbin on this ramdisk are: > > > > -/bin/sh-3.00# ls /sbin > > > > [dasdfmt hexdump mktemp rmmod > > > touch > > > > ash date hostname modprobe route > tr > > > > awk dd id more rpm2cpio > > > > traceroute > > > > basename deallocvtifconfig mountsed > > true > > > > bash df in.telnetd msh sh > tty > > > > bunzip2 dirname init mv shutdown > > > umount > > > > busybox dmesginsmod nc sleep > > > uname > > > > bzcatdu install openvt sort > > uniq > > > > cat echo ip passwd sshd > > > unzip > > > > chgrpegrepkill pidofstrings > > > uptime > > > > chmodenv killall ping stty > > > usleep > > > > chownexpr ln pivot_root swapoff > vi > > > > chroot falseload_policy poweroff swapon > wc > > > > chvt fgreploader ps sync > > wget > > > > clearfind loginpwd tail > > > which > > > > cmp free ls rdatetar > > > whoami > > > > cmsfscat grep lsmodreadlink tee > > > xargs > > > > cmsfslst gunzip makedevs reboot telnet > > > xauth > > > > cp gzip md5sum resettest > > > xinetd > > > > cpio halt mkdirrm time > yes > > > > cut head mknodrmdirtop > > zcat > > > > > > > > And that's all that I have to work with... > > > > > > > > -- > > > > > > > > Kelly F. Hickel > > > > Senior Product Architect > > > > MQSoftware, Inc. > > > > 952-345-8677 Office > > > > 952-345-8721 Fax > > > > [EMAIL PROTECTED] > > > > www.mqsoftware.com > > > > SEE BUSINESS WORK > > > > > > > > > > > > > > > >> -Original Message- > > > >> From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf > > > Of > > > >> Brad Hinson > > > >> Sent: Monday, April 14, 2008 3:05 PM > > > >> To: LINUX-390@VM.MARIST.EDU > > > >> Subject: Re: CentOS 4.4 kernel panic on boot s390x >
Re: CentOS 4.4 kernel panic on boot s390x
Well, I guess that I'm out of luck. It says that there are no valid partition tables on any of my devices, I have no idea how that could have possibly happened, but I seem to have no choices left except to reinstall. I guess that I also don't really understand how it could be getting far enough along in a normal boot to get the kernel loaded to the point of activating the volume groups, if there aren't any partition tables. Am I missing something about lvm? Do I have to do some mdadm commands to reassemble these devices into a working filesystem before I can do anything? I thought that they would have had to have valid partition tables before I could do that.. -- Kelly F. Hickel Senior Product Architect MQSoftware, Inc. 952-345-8677 Office 952-345-8721 Fax [EMAIL PROTECTED] www.mqsoftware.com SEE BUSINESS WORK > -Original Message- > From: Kelly F. Hickel > Sent: Tuesday, April 15, 2008 6:14 AM > To: LINUX-390@VM.MARIST.EDU > Subject: RE: CentOS 4.4 kernel panic on boot s390x > > Brad, > That sounds like a great tip, I'll give it a try. I hadn't gone > past the initial "choose a language" screen, both because some of the > google hits said that was as far as you needed to go, and because I was > afraid that if I gave it the location, it might destroy some of the > data. I know it prompts before writing anything, but there are too many > things I don't know about Linux on s390x, so I'm more than a bit > paranoid. > > Thanks, > > > -- > > Kelly F. Hickel > Senior Product Architect > MQSoftware, Inc. > 952-345-8677 Office > 952-345-8721 Fax > [EMAIL PROTECTED] > www.mqsoftware.com > SEE BUSINESS WORK > > > -Original Message- > > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > > Brad Hinson > > Sent: Monday, April 14, 2008 5:10 PM > > To: LINUX-390@VM.MARIST.EDU > > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > > > Hi Kelly, > > > > You mentioned earlier that you're using the installer image. How far > > into the install are you going before SSH'ing in to troubleshoot? If > > you go past the point of entering the location of the stage 2 > > environment (i.e. on the installation method screen, select > > FTP/HTTP/NFS, enter the server and path, then select Next), the > > installer will download or mount (depending on method) the stage 2 > > image > > containing the LVM tools. > > > > I'd recommend going through the install until the point where the VNC > > server is started and it asks you to connect. At that point, SSH in > a > > second time (or press to get a shell prompt). You should see > > that "/" is mounted from the stage 2 image (shown below as > /dev/root), > > and /usr/sbin/lvm will exist: > > > > -/bin/sh-3.00# mount | grep root > > /dev/root on / type ext2 (rw) > > > > -/bin/sh-3.00# which lvm > > /usr/sbin/lvm > > > > > > -Brad > > > > On Mon, 2008-04-14 at 15:34 -0500, Kelly F. Hickel wrote: > > > /usr only contains the lib64 directory. > > > > > > > > > -- > > > > > > Kelly F. Hickel > > > Senior Product Architect > > > MQSoftware, Inc. > > > 952-345-8677 Office > > > 952-345-8721 Fax > > > [EMAIL PROTECTED] > > > www.mqsoftware.com > > > SEE BUSINESS WORK > > > > > > > > > > -Original Message- > > > > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf > > Of > > > > Justin Payne > > > > Sent: Monday, April 14, 2008 3:28 PM > > > > To: LINUX-390@VM.MARIST.EDU > > > > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > > > > > > > Do you see lvm in /usr/sbin? > > > > > > > > ~Justin > > > > > > > > Kelly F. Hickel wrote: > > > > > Brad, > > > > > I don't have any of those commands. What I've done is to to > > a > > > > > load from CDRom on the HMC and point it at a downloaded mirror > of > > > the > > > > > s390x centos repo. Is there some other rescue mode that is > more > > > > useful > > > > > than what I have > > > > > > > > > > The contents of /sbin on this ramdisk are: > > > > > -/bin/sh-3.00# ls /sbin > > > > > [dasdfmt hexdump mktemp rmmod > > > > touch > > > > > ash date hostname modprobe route > > tr > > > > > awk dd id more rpm2cpio > > > > > traceroute > > > > > basename deallocvtifconfig mountsed > > > true > > > > > bash df in.telnetd msh sh > > tty > > > > > bunzip2 dirname init mv shutdown > > > > umount > > > > > busybox dmesginsmod nc sleep > > > > uname > > > > > bzcatdu install openvt sort > > > uniq > > > > > cat echo ip passwd sshd > > > > unzip > > > > > chgrpegrepkill pidofstrings > > > > uptime > > > > > chmodenv killall ping stty > > > > usleep > > > > > chownexpr ln pivot_root swapoff > > vi > > > > > chroot false
Re: recover root password
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of John Summerfield > Sent: Monday, April 14, 2008 5:34 PM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: recover root password [snip] > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. > > Until the vendors change their approach, administrators are > going to be > working that way. That can be fixed by the administrator using visudo to change /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream "why did that CHANGE" if the vendor does it. > > The only Linux distribution that expects administrators to > use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. > > -- > > Cheers -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Help needed adding LCS Ethernet on a z9 for z/Linux LPAR (NO VM)
For some reason I am not getting any e-mail from my own posting. I get all other Linux-390 postings. I had to go to the Linux-390 index to read them. In response to Ursula Braun, lscss did not show F100-F101. Modules cu3088 and lcs loaded since I already have F200 LCS Ethernet working. Here is what I did to fix the issue. I finally got F100 to work by defining an OAT and then configing off CHP(F1) and then back online. It added it as eth0 and dropped the existing F200 connection (ifconfig showed it online). I just did an "ifdown eth1" and "ifup eth1" I was using LCS because?... Well. LCS was familiar to me and I did not know that QDIO could be shared until last 2 weeks. I am in the process of converting the LCS to QDIO. That is why I wanted to add the F100 so I could be logged on to z/Linux and delete F200 and then load the new IODF and then add F200 back as QDIO. Sam Bass 254-771-7212 Sr z/OS Systems Specialist -Original Message- From: Sam Bass Sent: Monday, April 14, 2008 1:02 PM To: 'Linux on 390 Port' Subject: Help needed adding LCS Ethernet on a z9 for z/Linux LPAR (NO VM) I am reposting to make sure this went out. Any help would be greatly appreciated. Sam Hi, We are trying to add another OSA LCS Ethernet on our z/9 z/Linux LPAR (SLES 10 sp1) CHP F1 is defined in IODF as OSE Looking at some PDFs I see that it say that we only have to do the following: echo 0.0.f100,0.0.f101 > /sys/bus/ccwgroup/drivers/lcs/group 1. Without an "echo -n" we get an echo invalid argument 2. With "echo -n " we get no message and nothing build in the appropriate /sys/bus/ccwgroup areas. Next we tried YAST, we rebooted and it F100 times out. F200 is already an LCS, but we want to convert it to QETH as soon I we can get this second LCS Ethernet working. There is NO OAT for F100 , but F200 (which works, installed via installation process) has an OAT. CHP(F1) is offline to all but this LPAR. I have done an "zipl -c /etc/zipl.conf" Here is my /etc/zipl.conf [defaultboot] defaultmenu = menu [SLES_10_SP1] image = /boot/image-2.6.16.54-0.2.3-default target = /boot/zipl ramdisk = /boot/initrd-2.6.16.54-0.2.3-default,0x100 # parameters = "root=/dev/disk/by-id/ccw-IBM.7500029646.3800.2f-part2 TERM=dumb" parameters = "dasd=382f,392f root=/dev/disk/by-id/ccw-IBM.7500029646.3800.2f-part2 TERM=dumb" :menu default = 1 prompt = 1 target = /boot/zipl timeout = 15 1 = ipl ###Don't change this comment - YaST2 identifier: Original name: ipl### [ipl] image = /boot/image target = /boot/zipl ramdisk = /boot/initrd,0x100 #parameters = "root=/dev/disk/by-id/ccw-IBM.7500029646.3800.2f-part2 TERM=dumb" parameters = "dasd=382f,392f root=/dev/disk/by-id/ccw-IBM.7500029646.3800.2f-part2 TERM=dumb cio_ignore=all,!0.0.382F,!0.0.392F,!0.0.F100-0.0.F11E,!0.0.F200-0.0.F202,!0.0.C000-0.0.C01F,!0.0.C100 -0.0.C11F" Sam Bass 254-771-7212 Sr z/OS Systems Specialist -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
another option to recover a root password on recent Linux on Z distros is to supply a replacement init on boot up - like so: zIPL v1.6.0 interactive boot menu 0. default (ipl) 1. ipl 2. Failsafe Note: VM users please use '#cp vi vmsg ' Please choose (default will boot in 10 seconds): #cp vi vmsg 1 init=/bin/bash Linux will start a bash shell instead of the regular init process, you just have to remount your root filesystem in RW mode like so: mount / -o remount,rw and then you can change the root password as needed - or do any other maintenance you want. This trick would probably have helped with the broken CA esm for linux, too, but It didn't occur to me at the time. This also works on PC versions of Linux if no one has set a grub bootloader password. Yet another example of "Physical access trumps all security settings, eventually" -- Jay Brenneman -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
I think that message may be misleading. If you're getting that far into the boot process, the partition tables may be there. Did you get to the point of entering the NFS/HTTP/FTP server and path and selecting "Next"? That's really as far as you need to go in the installer. The rest should be done in a separate SSH session. >From that separate SSH session, do you see /usr/sbin/lvm? -Brad On Tue, 2008-04-15 at 06:55 -0500, Kelly F. Hickel wrote: > Well, I guess that I'm out of luck. It says that there are no valid > partition tables on any of my devices, I have no idea how that could > have possibly happened, but I seem to have no choices left except to > reinstall. > > I guess that I also don't really understand how it could be getting far > enough along in a normal boot to get the kernel loaded to the point of > activating the volume groups, if there aren't any partition tables. > > Am I missing something about lvm? Do I have to do some mdadm commands to > reassemble these devices into a working filesystem before I can do > anything? I thought that they would have had to have valid partition > tables before I could do that.. > > > -- > > Kelly F. Hickel > Senior Product Architect > MQSoftware, Inc. > 952-345-8677 Office > 952-345-8721 Fax > [EMAIL PROTECTED] > www.mqsoftware.com > SEE BUSINESS WORK > > > > -Original Message- > > From: Kelly F. Hickel > > Sent: Tuesday, April 15, 2008 6:14 AM > > To: LINUX-390@VM.MARIST.EDU > > Subject: RE: CentOS 4.4 kernel panic on boot s390x > > > > Brad, > > That sounds like a great tip, I'll give it a try. I hadn't gone > > past the initial "choose a language" screen, both because some of the > > google hits said that was as far as you needed to go, and because I > was > > afraid that if I gave it the location, it might destroy some of the > > data. I know it prompts before writing anything, but there are too > many > > things I don't know about Linux on s390x, so I'm more than a bit > > paranoid. > > > > Thanks, > > > > > > -- > > > > Kelly F. Hickel > > Senior Product Architect > > MQSoftware, Inc. > > 952-345-8677 Office > > 952-345-8721 Fax > > [EMAIL PROTECTED] > > www.mqsoftware.com > > SEE BUSINESS WORK > > > > > -Original Message- > > > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf > Of > > > Brad Hinson > > > Sent: Monday, April 14, 2008 5:10 PM > > > To: LINUX-390@VM.MARIST.EDU > > > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > > > > > Hi Kelly, > > > > > > You mentioned earlier that you're using the installer image. How > far > > > into the install are you going before SSH'ing in to troubleshoot? > If > > > you go past the point of entering the location of the stage 2 > > > environment (i.e. on the installation method screen, select > > > FTP/HTTP/NFS, enter the server and path, then select Next), the > > > installer will download or mount (depending on method) the stage 2 > > > image > > > containing the LVM tools. > > > > > > I'd recommend going through the install until the point where the > VNC > > > server is started and it asks you to connect. At that point, SSH in > > a > > > second time (or press to get a shell prompt). You should > see > > > that "/" is mounted from the stage 2 image (shown below as > > /dev/root), > > > and /usr/sbin/lvm will exist: > > > > > > -/bin/sh-3.00# mount | grep root > > > /dev/root on / type ext2 (rw) > > > > > > -/bin/sh-3.00# which lvm > > > /usr/sbin/lvm > > > > > > > > > -Brad > > > > > > On Mon, 2008-04-14 at 15:34 -0500, Kelly F. Hickel wrote: > > > > /usr only contains the lib64 directory. > > > > > > > > > > > > -- > > > > > > > > Kelly F. Hickel > > > > Senior Product Architect > > > > MQSoftware, Inc. > > > > 952-345-8677 Office > > > > 952-345-8721 Fax > > > > [EMAIL PROTECTED] > > > > www.mqsoftware.com > > > > SEE BUSINESS WORK > > > > > > > > > > > > > -Original Message- > > > > > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > > Behalf > > > Of > > > > > Justin Payne > > > > > Sent: Monday, April 14, 2008 3:28 PM > > > > > To: LINUX-390@VM.MARIST.EDU > > > > > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > > > > > > > > > Do you see lvm in /usr/sbin? > > > > > > > > > > ~Justin > > > > > > > > > > Kelly F. Hickel wrote: > > > > > > Brad, > > > > > > I don't have any of those commands. What I've done is to > to > > > a > > > > > > load from CDRom on the HMC and point it at a downloaded mirror > > of > > > > the > > > > > > s390x centos repo. Is there some other rescue mode that is > > more > > > > > useful > > > > > > than what I have > > > > > > > > > > > > The contents of /sbin on this ramdisk are: > > > > > > -/bin/sh-3.00# ls /sbin > > > > > > [dasdfmt hexdump mktemp rmmod > > > > > touch > > > > > > ash date hostname modprobe route > > > tr > > > > > > awk dd id more rpm2cpio > > > > > > traceroute > > > > > > basename
Re: recover root password
By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because "It's always been done that way." But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the "I have to have root!" model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that "It comes that way, so it should stay that way." That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say "You've got to improve security! You have to have accountability!" So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 5:34 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> Would it be the wrong time to suggest that, once you have the system >> installed, up and running, nobody should ever log in as root, except in dire >> or unavoidable circumstances. >> >> Once you have the system, give your system administration group sudo all >> privs. Then just don't log into root at all. This gives you accountability > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. > > Until the vendors change their approach, administrators are going to be > working that way. > > The only Linux distribution that expects administrators to use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > > > One can also login as root without password if ssh is so configured. > > > > -- > > Cheers > John > > -- spambait > [EMAIL PROTECTED] [EMAIL PROTECTED] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Has anyone order z/VM from ShopZseries?
I ordered z/VM V5.3 from ShopZseries and received the following downloads:
Opt Prod Enabling Aid
Download ? V6720401.TERS0014 (0.730 MB)
DFSMS/VM FL221
Download ? V6720403.TERS0014 (63.8 MB)
DFSMS/VM Kanji
Download ? V6720402.TERS0004 (2.8 MB)
and some electronic Documentation.
The doc refers to zip files and creating DVDs but this is all I see. Am I
correct in assuming there is more to z/VM 5.3 and that something is
missing? Thanks.
Peter
This Email message and any attachment may contain information that is
proprietary, legally privileged, confidential and/or subject to copyright
belonging to Pepco Holdings, Inc. or its affiliates ("PHI"). This Email is
intended solely for the use of the person(s) to which it is addressed. If
you are not an intended recipient, or the employee or agent responsible for
delivery of this Email to the intended recipient(s), you are hereby notified
that any dissemination, distribution or copying of this Email is strictly
prohibited. If you have received this message in error, please immediately
notify the sender and permanently delete this Email and any copies. PHI
policies expressly prohibit employees from making defamatory or offensive
statements and infringing any copyright or any other legal right by Email
communication. PHI will not accept any liability in respect of such
communications.
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
>>> On Tue, Apr 15, 2008 at 7:55 AM, in message <[EMAIL PROTECTED]>, "Kelly F. Hickel" <[EMAIL PROTECTED]> wrote: > Well, I guess that I'm out of luck. It says that there are no valid > partition tables on any of my devices, I have no idea how that could > have possibly happened, but I seem to have no choices left except to > reinstall. If you used the fdisk command instead of the fdasd command, fdisk will report that, since DASD volumes aren't set up in such a way that fdisk will work on them. SCSI over FCP will, but not DASD. I suspect your partition definitions are still there. > I guess that I also don't really understand how it could be getting far > enough along in a normal boot to get the kernel loaded to the point of > activating the volume groups, if there aren't any partition tables. Because the system is still running off a ram disk at that point. > Am I missing something about lvm? Do I have to do some mdadm commands to > reassemble these devices into a working filesystem before I can do > anything? I thought that they would have had to have valid partition > tables before I could do that.. No, vgscan should do it for you, followed by vgchange -a y if things are in working order. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 3:56 PM, RPN01 <[EMAIL PROTECTED]> wrote: > RedHat and SuSE expect administrators to use the root account because "It's > always been done that way." But, when you have more than one administrator, > and especially if you have more than a hand-full, like six to fifteen, then > doing so gives you no accountability for what has been done to your systems. We found the "there is no root password" was much more acceptable to the developers. Too often a response like "you cannot have it" made them come back later complaining this was the reason their project was late, with a big badge joining them to twist our arms. Actually, our users did not have passwords either. We relied entirely on cryptic keys via SSH and LDAP. Most harmful things can be done with sudo as well (we even controlled it by LDAP rather than passwords). And you could always run a shell under sudo, but it would reveal who was inside. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Brad Hinson > Sent: Tuesday, April 15, 2008 8:52 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > I think that message may be misleading. If you're getting that far > into > the boot process, the partition tables may be there. Did you get to > the > point of entering the NFS/HTTP/FTP server and path and selecting > "Next"? > That's really as far as you need to go in the installer. The rest > should be done in a separate SSH session. > > >From that separate SSH session, do you see /usr/sbin/lvm? I've rebooted and gotten to the point of telling it to start VNC, then I ssh in again. /usr/sbin/lvm exists. Lvm lvscan/pvscan don't seem to find any volumes. -/bin/sh-3.00# lvm lvm> lvscan No volume groups found lvm> pvscan No matching physical volumes found lvm> fdisk seems to think that none of the devices have partition tables on them (I'd expect /dev/dasda or /dev/dasda1 to have one, since I can get through a normal boot up to the point of activating volume groups): Warning: invalid flag 0x of partition table 4 will be corrected by w(rite) Command (m for help): p Disk /dev/dasda: 2461 MB, 2461777920 bytes 15 heads, 12 sectors/track, 3339 cylinders Units = cylinders of 180 * 4096 = 737280 bytes Device Boot Start End Blocks Id System Command (m for help): Thanks, Kelly > > -Brad > > On Tue, 2008-04-15 at 06:55 -0500, Kelly F. Hickel wrote: > > Well, I guess that I'm out of luck. It says that there are no valid > > partition tables on any of my devices, I have no idea how that could > > have possibly happened, but I seem to have no choices left except to > > reinstall. > > > > I guess that I also don't really understand how it could be getting > far > > enough along in a normal boot to get the kernel loaded to the point > of > > activating the volume groups, if there aren't any partition tables. > > > > Am I missing something about lvm? Do I have to do some mdadm commands > to > > reassemble these devices into a working filesystem before I can do > > anything? I thought that they would have had to have valid partition > > tables before I could do that.. > > > > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
> >>> On Tue, Apr 15, 2008 at 7:55 AM, in message > <[EMAIL PROTECTED]>, > "Kelly F. > Hickel" <[EMAIL PROTECTED]> wrote: > > Well, I guess that I'm out of luck. It says that there are no valid > > partition tables on any of my devices, I have no idea how that could > > have possibly happened, but I seem to have no choices left except to > > reinstall. > > If you used the fdisk command instead of the fdasd command, fdisk will > report that, since DASD volumes aren't set up in such a way that fdisk > will work on them. SCSI over FCP will, but not DASD. I suspect your > partition definitions are still there. That explains something, although fdasd doesn't think there are partition tables either, I just tried again though, and I can still do a "normal" load from DASD address D04D and it works right up to the point where it panics after trying to activate the volume groups... -/bin/sh-3.00# fdasd -p /dev/dasda reading volume label: Could not find VOL1 volume label. exiting... -/bin/sh-3.00# fdasd -p /dev/dasdb reading volume label: Could not find VOL1 volume label. exiting... -/bin/sh-3.00# fdasd -p /dev/dasdc reading volume label: Could not find VOL1 volume label. exiting... -/bin/sh-3.00# fdasd -p /dev/dasdd reading volume label: Could not find VOL1 volume label. exiting... > > > I guess that I also don't really understand how it could be getting > far > > enough along in a normal boot to get the kernel loaded to the point > of > > activating the volume groups, if there aren't any partition tables. > > Because the system is still running off a ram disk at that point. > > > Am I missing something about lvm? Do I have to do some mdadm commands > to > > reassemble these devices into a working filesystem before I can do > > anything? I thought that they would have had to have valid partition > > tables before I could do that.. > > No, vgscan should do it for you, followed by vgchange -a y if things > are in working order. Vgscan fails: -/bin/sh-3.00# lvm lvm> vgscan Reading all physical volumes. This may take a while... No volume groups found lvm> > > > Mark Post Thanks, Kelly -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, 2008-04-15 at 08:56 -0500, RPN01 wrote: > Anyone willing to bet a coke on it? Never touch the stuff. While I take your point about staying out of root insofar as possible, there are other ways to compartmentalize our systems: virtualization, r/o filesystems in dedicated partitions, chroots, FBSD-style jails, xBSD-style securelevels all come to mind. We can mitigate the situation when vendors "force" us to use root. (Is there a s390[x] implementation of selinux? Just wondering. I don't even know how to *capitalize* selinux.) -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
>>> On Tue, Apr 15, 2008 at 11:03 AM, in message <[EMAIL PROTECTED]>, "Kelly F. Hickel" <[EMAIL PROTECTED]> wrote: -snip- > That explains something, although fdasd doesn't think there are > partition tables either, I just tried again though, and I can still do a > "normal" load from DASD address D04D and it works right up to the point > where it panics after trying to activate the volume groups... Right. The script on the ram disk is trying to get the real root file system ready, and when it can't the system dies. -snip- > Vgscan fails: > -/bin/sh-3.00# lvm > lvm> vgscan > Reading all physical volumes. This may take a while... > No volume groups found > lvm> I would say at this point that you are indeed out of luck. If pvscan and vgscan aren't finding any traces of the metadata that should be there, it's game over. Are these DASD volumes accessible from other LPARs? If so, it's entirely possible that some overzealous storage administrator reformatted them for you. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CentOS 4.4 kernel panic on boot s390x
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Mark Post > Sent: Tuesday, April 15, 2008 10:18 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: CentOS 4.4 kernel panic on boot s390x > > >>> On Tue, Apr 15, 2008 at 11:03 AM, in message > <[EMAIL PROTECTED]>, > "Kelly F. > Hickel" <[EMAIL PROTECTED]> wrote: > -snip- > > That explains something, although fdasd doesn't think there are > > partition tables either, I just tried again though, and I can still > do a > > "normal" load from DASD address D04D and it works right up to the > point > > where it panics after trying to activate the volume groups... > > Right. The script on the ram disk is trying to get the real root file > system ready, and when it can't the system dies. > > -snip- > > Vgscan fails: > > -/bin/sh-3.00# lvm > > lvm> vgscan > > Reading all physical volumes. This may take a while... > > No volume groups found > > lvm> > > I would say at this point that you are indeed out of luck. If pvscan > and vgscan aren't finding any traces of the metadata that should be > there, it's game over. Are these DASD volumes accessible from other > LPARs? If so, it's entirely possible that some overzealous storage > administrator reformatted them for you. > > > Mark Post OK Mark, thanks for the help. I was suspicious of this very thing, especially since we had recently brought up a new z/OS 1.8 LPAR and I suspected that they might have reused one of these "idle" addresses. I had people check and they told me that didn't happen. I'm having them check again, and if they say they aren't in use, I'm going to reload zlinux. I guess we'll find out pretty fast if they really are using them (when their data disappears)! Thanks again all, -Kelly -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
> (Is there a s390[x] implementation of selinux? Just wondering. I don't > even know how to *capitalize* selinux.) Yes. Both major vendors and Debian ship it loaded, but with SELinux functions turned off or warn-only due to the massive impact of how it changes the behavior of the system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 writes: > To be completely compliant, everything done by / with root > will need to be logged, showing what was done, and by whom. Can you do that > now, with two or more people logging into root? Can you do it with even one > person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with "A"[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. -- Malcolm Beattie System z SWG/STG, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Even though I don't do Linux work...I agree with Robert here. Now, it would be a nice feature on the Linux installs, I would imagine, if RH and Novell and others made it easy to set this up as the install was running. At least as far as setting up one admin account/password etc. Kevin -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Tuesday, April 15, 2008 9:56 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because "It's always been done that way." But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the "I have to have root!" model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that "It comes that way, so it should stay that way." That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say "You've got to improve security! You have to have accountability!" So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 5:34 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> Would it be the wrong time to suggest that, once you have the system >> installed, up and running, nobody should ever log in as root, except in dire >> or unavoidable circumstances. >> >> Once you have the system, give your system administration group sudo all >> privs. Then just don't log into root at all. This gives you accountability > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. > > Until the vendors change their approach, administrators are going to be > working that way. > > The only Linux distribution that expects administrators to use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > > > One can also login as root without password if ssh is so configured. > > > > -- > > Cheers > John > > -- spambait > [EMAIL PROTECTED] [EMAIL PROTECTED] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.
Re: recover root password
Bob Nix wrote:
> Anyone sticking to the "I have to have root!" model of system
> administration is leaving themselves open to a huge awakening
> as Sarbanes-Oxley and other
> regulations overtake us. While we aren't required by law to conform to
> Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly
> can.
The are also living in the Dark Ages.
> One of the requirements is that what is done to your systems is done
> with accountability. To be completely compliant, everything done by /
with
> root will need to be logged, showing what was done, and by whom. Can you
do
> that now, with two or more people logging into root? Can you do it with
even
> one person logging into root? Not on any distribution I know today. So
you
> aren't compliant, and will be pinged on your audit, and if you're
> required to be S-O compliant, you're leaving your company open to legal
action.
It is heartwarming, after a fashion, to see this discussion. I forget:
When did we introduce LOGON BY to z/VM? The requirement for
accountability is not driven by law, but by Good Business Practices, with
an eye towards long-term survival. (The fact that we had to have laws to
tell people that they must use Good Business Practices speaks volumes
about our society and its [lack of] values. :-( )
One of the reasons the mainframes have endured for so long is because, I
believe, its purchasers' continued adherence to rigid change control
practices. "Time is money. So if you screw up a change, you cost us
money." This was all before S-O & Co.
Give someone root authority, but make them say "Give me root authority.
Here are my credentials. If you'll check your e-clipboard, you'll that
I'm On The List." (Of course, not REALLY root authority. E.g. no ability
to grant root to someone else or to turn off security subsystems,
auditing, etc. "Dinosaurs can cause serious injury or death" is not the
only message to take from the movie Jurassic Park.)
If I was working as a sysadmin, the number of admins was > 1 and all I had
was "root", I'd be screaming from the rafters. Like my company, I want
protection from the actions of others ("plausible denability"). Don't
give me root's password - I don't want to know it.
Alan Altmark
z/VM Development
IBM Endicott
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Hey, didn't we talk about this stuff a few weeks ago on the phone?
Anyway, we have a unix/linux product in lieu of sudo (on every place but
zLinux at the moment due to vendor support, but that is changing real
soon now) that key stroke logs (to a remote server) every thing one does
while running as root, because, like Alan said, you can do things like
turn off audit and destroy logs, or change the root pw, grant someone
else, etc.
While logonby is great and we use it all the time with byonly userids
and never ever share a password on VM, we still really can't tell those
who care about SOX what someone did when they logged into MAINT or
VMSECURE or RACFVM if he's your guy. You can't even use last changed
date on minidisks, because, well there is DDR! z/VM doesn't really have
anything in place to protect you from your sysprog (or at least read
about it after the fact), unlike the other o/s's that at least give the
illusion that they can.
Marcy Cortes
"This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation."
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Alan Altmark
Sent: Tuesday, April 15, 2008 10:39 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] recover root password
Bob Nix wrote:
> Anyone sticking to the "I have to have root!" model of system
> administration is leaving themselves open to a huge awakening as
> Sarbanes-Oxley and other regulations overtake us. While we aren't
> required by law to conform to Sarbanes-Oxley, we've chosen to bring
> ourselves as close as we possibly can.
The are also living in the Dark Ages.
> One of the requirements is that what is done to your systems is done
> with accountability. To be completely compliant, everything done by /
with
> root will need to be logged, showing what was done, and by whom. Can
> you
do
> that now, with two or more people logging into root? Can you do it
> with
even
> one person logging into root? Not on any distribution I know today. So
you
> aren't compliant, and will be pinged on your audit, and if you're
> required to be S-O compliant, you're leaving your company open to
> legal
action.
It is heartwarming, after a fashion, to see this discussion. I forget:
When did we introduce LOGON BY to z/VM? The requirement for
accountability is not driven by law, but by Good Business Practices,
with an eye towards long-term survival. (The fact that we had to have
laws to tell people that they must use Good Business Practices speaks
volumes about our society and its [lack of] values. :-( )
One of the reasons the mainframes have endured for so long is because, I
believe, its purchasers' continued adherence to rigid change control
practices. "Time is money. So if you screw up a change, you cost us
money." This was all before S-O & Co.
Give someone root authority, but make them say "Give me root authority.
Here are my credentials. If you'll check your e-clipboard, you'll that
I'm On The List." (Of course, not REALLY root authority. E.g. no
ability to grant root to someone else or to turn off security
subsystems,
auditing, etc. "Dinosaurs can cause serious injury or death" is not
the
only message to take from the movie Jurassic Park.)
If I was working as a sysadmin, the number of admins was > 1 and all I
had was "root", I'd be screaming from the rafters. Like my company, I
want protection from the actions of others ("plausible denability").
Don't give me root's password - I don't want to know it.
Alan Altmark
z/VM Development
IBM Endicott
--
For LINUX-390 subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield <[EMAIL PROTECTED]> wrote: Until the vendors change their approach, administrators are going to be working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? Sure. How many do you know of who don't hang out on these lists? I consider the default setup maybe the easiest way to get started, but Lots of people reckon Apple does a good job on UI design. By default, root on OS X is locked, and users who have administrative rights use their own password. That's probably why Ubuntu does it that way, white a few of the (early) techos were Apple fans. not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). Over time, there have been arguments on RH lists that RH wasn't doing enough to make systems as secure they should be, and criticising RH practices. I remember complaining about many rpms that could only be built by root - the kernel was the last I recall, and at the time the build process was creating a device entry. RH has learned and generally has done things fairly well long enough that Brad may be surprised to read this:-) We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. I used to install a lot of third-party stuff on MVS; I learned to use salt when reading instructions. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 wrote: By default, sudo expects root's password. That is not what the man page says, It _is_ the way SUSE configures it. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Malcolm Beattie wrote: RPN01 writes: To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with "A"[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. While composing an earlier reply, I was thinking of suggesting ACLs (and read the man page). I thought of two disadvantages 1. Logging, which you say can be don 2. Password prompt. What do enterprise users think? -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Bjoern A. Zeeb wrote: On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. Whether that works depends on the distro, some try to impede folk by using sulogin (great fun when a manual fsck is necessary). If you can boot without password, sulogin is a lost cause. Boot with this option: ... init=/bin/bash and be prepared to find and mount the filesystems yourself. Then reboot. If the bootloader uses a password, that's usually futile too: 1. Boot from CD or similar. A grub floppy will do on intellish hardware. 2. Remove drive and have at it in another system. The Fedora project is working on installing to encrypted disk, that should be available in f9 (which is now in beta). ps fc3 was about RHEL4 fc6 was about RHEL5 fc9 ?? Will it be? Could it be? You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. I managed to lose the password file once. I was very relieved when I realised 1. I had an active vnc session 2. I don't have good vnc passwords (the ungodly don't get close enough to test them). A vnc session through my modem was better than a car journey. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Folk on RH/Fedora lists have complained long about filesystem labels, and LVM names are fully as good at causing grief. Help is at hand, we're going to oh-so-long UUIDs now. There's a change in LVM names too. Oh joy! -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
McKown, John wrote: -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of John Summerfield Sent: Monday, April 14, 2008 5:34 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password [snip] Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. Then you must have changed it, as I did. This is from the distributed configuration on 10.3: Defaults targetpw # ask for the password of the target user i.e. root I verified it: 05:45 [EMAIL PROTECTED] tmp]$ rpm2cpio Until the vendors change their approach, administrators are going to be working that way. That can be fixed by the administrator using visudo to change It can be, but most people will assume the vendor has it right until they learn otherwise. Did _you_ go through every bit of your opensuse configuration to ensure it's sane, according to your own beliefs? /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream "why did that CHANGE" if the vendor does it. Ubuntu used sudo from the beginning. I don't recall any controversy over it. I imagine that when RH/SUSE does it, they will document it in the release notes and other documentation, and when people challenge it, point them at the documentation. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. I don't know of anyone who's implemented ssh to allow login without _some_ credentials. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Has anyone order z/VM from ShopZseries?
According to Sue Baloga, it looks like this order consisted of DFSMS only, which could be a valid VM/SDO order. You can order the z/VM base system and/or optional licensed products. When anything is ordered through the VM/SDO,base or LP, the optional product enabling aid is also shipped. The installation instructions has two links; one for the operating system (z/VM System Deliverable) and one for the optional licensed products (z/VM Licensed Products). If you ordered optional products only, you should use the second link Here's what the page looks like: IBM Systems >System z >z/VM > Installation Instructions for Electronically Delivered z/VM System Deliverable and Licensed Products. For instructions on installing the electronic files (zip) for the z/VM Operating System go to: * Installation Instructions for Electronically Delivered z/VM System Deliverable For instructions on installing the electronic product envelope (servlink) files for z/VM Licensed Products go to: * Installation Instructions for Electronically Delivered z/VM License Products If doesn't appear the base operating system (z/VM System Deliverable) was ordered. Best Regards, Les Geer IBM z/VM and Linux Development >I ordered z/VM V5.3 from ShopZseries and received the following downloads: > >Opt Prod Enabling Aid >Download ? V6720401.TERS0014 (0.730 MB) >DFSMS/VM FL221 >Download ? V6720403.TERS0014 (63.8 MB) >DFSMS/VM Kanji >Download ? V6720402.TERS0004 (2.8 MB) > >and some electronic Documentation. > >The doc refers to zip files and creating DVDs but this is all I see. Am I= > >correct in assuming there is more to z/VM 5.3 and that something is >missing? Thanks. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: What distribution and why?
"Evans, Kevin R" <[EMAIL PROTECTED]> wrote: >As I said, though, I don't have a problem...but thanks for trying to >help! I believe the confusion here is due to what looked like a slightly idiomatic American usage -- "What EXACTLY is your problem???" -- which translates to "Hey, jerk, what is wrong with you? Are you stupid or what?". I'd bet large sums that Hubert Kleinmanns didn't mean it that way, and was instead asking, "Can you be more specific about the issue you found with MQ and SUSE?" Once again, infernal English leads to what could (and would have, on most lists!) been an international incident. And once again, the professionalism and courtesy of the VM and z/Linux community avoids bloodshed... ...phsiii (Feeling proud to be a Vmer today) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
