RE: [Veritas-bu] login as unix user
One last rant on sudo...accountability. It's a lot easier to tell who actually did a sudo versus root issuing . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Lightner Sent: Thursday, January 26, 2006 2:26 PM To: David Rock; veritas-bu@mailman.eng.auburn.edu Subject: RE: [Veritas-bu] login as unix user Hasn't been an issue for me - only one place I worked at had separate backup admins. Everywhere else the Unix Admins were also the Backup Admins. The place where backup admins were separate was the place that made the most extensive use of sudo and like I said it didn't have root shell for them or anyone other than the Unix admins. Anyway the idea wasn't to avoid all root access but to restrict it to only those commands necessary. Anything that can be scripted can be made into a sudo command. The command runs as root but doesn't give access to root. Personally I've never much cared for "we have other holes so why fix any" approach to security. Even if there are back door ways to get root the idea of security is to harden the target. Its much like putting a lock on your door and having an alarm system in your house. It may not prevent all possible break-ins but it will at least limit the likelihood. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Rock Sent: Thursday, January 26, 2006 11:07 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] login as unix user * Paul Keating <[EMAIL PROTECTED]> [2006-01-26 10:32]: > In other words, if you want root access, you can give it to yourself. > :o) Or at the very least, make _sure_ management understands that you are not responsible for maintaining the environment at that point. Something goes wrong with a tape drive or the server needs to be rebooted, _they_ better be willing to get someone in place at 2am to take care of it because you can't. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
RE: [Veritas-bu] login as unix user
Hasn't been an issue for me - only one place I worked at had separate backup admins. Everywhere else the Unix Admins were also the Backup Admins. The place where backup admins were separate was the place that made the most extensive use of sudo and like I said it didn't have root shell for them or anyone other than the Unix admins. Anyway the idea wasn't to avoid all root access but to restrict it to only those commands necessary. Anything that can be scripted can be made into a sudo command. The command runs as root but doesn't give access to root. Personally I've never much cared for "we have other holes so why fix any" approach to security. Even if there are back door ways to get root the idea of security is to harden the target. Its much like putting a lock on your door and having an alarm system in your house. It may not prevent all possible break-ins but it will at least limit the likelihood. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Rock Sent: Thursday, January 26, 2006 11:07 AM To: veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] login as unix user * Paul Keating <[EMAIL PROTECTED]> [2006-01-26 10:32]: > In other words, if you want root access, you can give it to yourself. > :o) Or at the very least, make _sure_ management understands that you are not responsible for maintaining the environment at that point. Something goes wrong with a tape drive or the server needs to be rebooted, _they_ better be willing to get someone in place at 2am to take care of it because you can't. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] login as unix user
* Paul Keating <[EMAIL PROTECTED]> [2006-01-26 10:32]: > In other words, if you want root access, you can give it to yourself. > :o) Or at the very least, make _sure_ management understands that you are not responsible for maintaining the environment at that point. Something goes wrong with a tape drive or the server needs to be rebooted, _they_ better be willing to get someone in place at 2am to take care of it because you can't. -- David Rock [EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
RE: [Veritas-bu] login as unix user
Exactly. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > David Rock > Sent: January 26, 2006 11:07 AM > To: veritas-bu@mailman.eng.auburn.edu > Subject: Re: [Veritas-bu] login as unix user > > > * Paul Keating <[EMAIL PROTECTED]> [2006-01-26 10:32]: > > In other words, if you want root access, you can give it to > yourself. > > :o) > > Or at the very least, make _sure_ management understands that you are > not responsible for maintaining the environment at that point. > Something goes wrong with a tape drive or the server needs to be > rebooted, _they_ better be willing to get someone in place at 2am to > take care of it because you can't. > > -- > David Rock > [EMAIL PROTECTED] > ___ > Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu > ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
RE: [Veritas-bu] login as unix user
In other words, if you want root access, you can give it to yourself. :o) Paul ...can't imagine not having root to admin. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts > Sent: January 26, 2006 7:35 AM > To: Yoseph Leleputra > Cc: Brzozowski, Dwayne; veritas-bu@mailman.eng.auburn.edu > Subject: Re: [Veritas-bu] login as unix user > > > Your system administrators also need to know that a NetBackup > administrator has full read/write access to *every* file on *every* > system that's under NetBackup's control. There's nothing > they can do to > stop that. ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] login as unix user
On Thu, Jan 26, 2006 at 08:46:10AM -0500, Jeff Lightner wrote: > Sudo is a great idea for using utilities but any Unix Admin worth > his/her salt isn't going to give you a root shell via sudo - it defeats > the whole point of not giving out the root account in the first place. > The audit objections to having root is not the specific account but the > total power over the system it confers and giving you a root shell via > sudo would allow that same power. Sudo should be used only to give you > access to specific commands. > > If auditors at your company missed this then you lucked out but should > probably suggest to your management that they hire a new auditing > company next time because only God knows what else they missed. At a > prior job I did give access to multiple accounts via sudo but you can be > sure none of them were root level. We *know* what giving out a root shell entails. The people that have been granted this privilege have earned this level of trust. As I said though, if you have access to NetBackup commands - like backup and restore - the system is yours, no matter what anybody else does. You have "the total power over the system". Nothing stops you from restoring a passwd file or a new sudoers file. Sure, it's harder, but the system is yours nevertheless. Similarly, we have physical access to all of the servers that we manage anyway so those systems are "ours" too, even though we're not the admins. All of our NetBackup admins previously admin'ed other production- critical systems, and some (including me) still do. I have primary administration responsbilities for a VMS cluster and a bunch of Linux systems, plus the company's DNS (both internal and external) and DHCP infrastructure. If the company couldn't trust me with root access to the master server, I wouldn't be here. .../Ed -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
RE: [Veritas-bu] login as unix user
Sudo is a great idea for using utilities but any Unix Admin worth his/her salt isn't going to give you a root shell via sudo - it defeats the whole point of not giving out the root account in the first place. The audit objections to having root is not the specific account but the total power over the system it confers and giving you a root shell via sudo would allow that same power. Sudo should be used only to give you access to specific commands. If auditors at your company missed this then you lucked out but should probably suggest to your management that they hire a new auditing company next time because only God knows what else they missed. At a prior job I did give access to multiple accounts via sudo but you can be sure none of them were root level. The comment about /tmp throws me though. /tmp should be viewable by everyone - you shouldn't need root access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wilts Sent: Thursday, January 26, 2006 7:35 AM To: Yoseph Leleputra Cc: Brzozowski, Dwayne; veritas-bu@mailman.eng.auburn.edu Subject: Re: [Veritas-bu] login as unix user On Thu, Jan 26, 2006 at 12:18:10AM -0800, Yoseph Leleputra wrote: > Now i got another problem. Causing by installing Master server is > not at dedicated server, and there is another aplication so i can't > got a root password. So when i need start /Stop Netbackup or > running script from veritas like print available media i must wait > the my manager come. Is there a way to upgrade my user authority to > running netbackup utility like root can do ?? Ask your system administrators to look into sudo. They can configure sudo so that you can run all the NetBackup commands you need. They can also give you root shell access without knowing the root password (I never sign on as root on my master server but use sudo every day). Your system administrators also need to know that a NetBackup administrator has full read/write access to *every* file on *every* system that's under NetBackup's control. There's nothing they can do to stop that. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
Re: [Veritas-bu] login as unix user
On Thu, Jan 26, 2006 at 12:18:10AM -0800, Yoseph Leleputra wrote: > Now i got another problem. Causing by installing Master server is > not at dedicated server, and there is another aplication so i can't > got a root password. So when i need start /Stop Netbackup or > running script from veritas like print available media i must wait > the my manager come. Is there a way to upgrade my user authority to > running netbackup utility like root can do ?? Ask your system administrators to look into sudo. They can configure sudo so that you can run all the NetBackup commands you need. They can also give you root shell access without knowing the root password (I never sign on as root on my master server but use sudo every day). Your system administrators also need to know that a NetBackup administrator has full read/write access to *every* file on *every* system that's under NetBackup's control. There's nothing they can do to stop that. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] ___ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
RE: [Veritas-bu] login as unix user
I manage multiple Master servers (nbu 5.1mp5 on Solaris). I have not root access. Admins set up Roll based security. Works very well (I have no choice in the matter). There are times that I have to get them to do something for me (like change roots crontab). The biggest headache is that some output files get written to /tmp and I don't have permission to look at them. We have been on this security set up for 1 month now and can live with it. Some auditor said that too many people had root access to too many servers. Bobby Williams 2205 Peterson Drive Chattanooga, Tennessee 37421 423-296-8200 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoseph LeleputraSent: Thursday, January 26, 2006 3:18 AMTo: Brzozowski, Dwayne; veritas-bu@mailman.eng.auburn.eduSubject: RE: [Veritas-bu] login as unix user Thanks Dwayne, Now i got another problem. Causing by installing Master server is not at dedicated server, and there is another aplication so i can't got a root password. So when i need start /Stop Netbackup or running script from veritas like print available media i must wait the my manager come. Is there a way to upgrade my user authority to running netbackup utility like root can do ?? Thanks in advance Yoseph "Brzozowski, Dwayne" <[EMAIL PROTECTED]> wrote: You're welcome! Glad I could help. Also, if you have a netbackup client, and a logon to tha! t client, fix up the auth.conf the same way and you can pull the jnbSA from there as well. If you're running ssh, that does take some configuration, but it does work. -djb From: Yoseph Leleputra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 12:35 AMTo: Brzozowski, Dwayne; veritas-bu@mailman.eng.auburn.eduSubject: RE: [Veritas-bu] login as unix user I got it, Thanks for all suppot, now i can get ad! min console with my login id . Yoseph "Brzozowski, Dwayne" <[EMAIL PROTECTED]> wrote: Yoseph, to get the admin console, edit the /usr/openv/java/auth.conf and add your login id to the beginnig of the last line, then add this ADMIN=ALL JBP=ALL. From the console/termal/remote_cde session of either the master, media servers. you type jnbSA and it will authenticate you login from the master. -djb Dwayne J. Brzozowski Department of Veterans Affairs Austin Automation Center Team Lead-Open Systems Support email:[EMAIL PROTECTED] phone:512-326-6728 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoseph LeleputraSent: Wednesday, January 18, 2006 6:09 AMTo: veritas-bu@mailman.eng.auburn.eduSubject: [Veritas-bu] login as unix user Dear World, I hope there is someone who experienced with setting autority user at Solaris . How to set my user ( not root ) to get netbackup Administration Console . because now when i am login with my user i only get netbackup client Console even i login at master server I realy apreciate all advice . Thanks in advance Cheers Yoseph Yahoo! Photos – Showcase holiday pictures in hardcoverPhoto Books. You design it and we’ll bind it! Yahoo! Photos – Showcase holiday pictures in hardcoverPhoto Books. You design it and we’ll bind it! Bring words and photos together (easily) withPhotoMail - it's free and works with Yahoo! Mail.
RE: [Veritas-bu] login as unix user
Thanks Dwayne, Now i got another problem. Causing by installing Master server is not at dedicated server, and there is another aplication so i can't got a root password. So when i need start /Stop Netbackup or running script from veritas like print available media i must wait the my manager come. Is there a way to upgrade my user authority to running netbackup utility like root can do ?? Thanks in advance Yoseph "Brzozowski, Dwayne" <[EMAIL PROTECTED]> wrote: You're welcome! Glad I could help. Also, if you have a netbackup client, and a logon to tha! t client, fix up the auth.conf the same way and you can pull the jnbSA from there as well. If you're running ssh, that does take some configuration, but it does work. -djb From: Yoseph Leleputra [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 12:35 AMTo: Brzozowski, Dwayne; veritas-bu@mailman.eng.auburn.eduSubject: RE: [Veritas-bu] login as unix userI got it, Thanks for all suppot, now i can get ad! min console with my login id . Yoseph "Brzozowski, Dwayne" <[EMAIL PROTECTED]> wrote: Yoseph, to get the admin console, edit the /usr/openv/java/auth.conf and add your login id to the beginnig of the last line, then add this ADMIN=ALL JBP=ALL. From the console/termal/remote_cde session of either the master, media servers. you type jnbSA and it will authenticate you login from the master. -djb Dwayne J. Brzozowski Department of Veterans Affairs Austin Automation Center Team Lead-Open Systems Support email:[EMAIL PROTECTED] phone:512-326-6728 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoseph LeleputraSent: Wednesday, January 18, 2006 6:09 AMTo: veritas-bu@mailman.eng.auburn.eduSubject: [Veritas-bu] login as unix userDear World, I hope there is someone who experienced with setting autority user at Solaris . How to set my user ( not root ) to get netbackup Administration Console . because now when i am login with my user i only get netbackup client Console even i login at master server I realy apreciate all advice . Thanks in advance Cheers Yoseph Yahoo! Photos Showcase holiday pictures in hardcoverPhoto Books. You design it and well bind it! Yahoo! Photos Showcase holiday pictures in hardcoverPhoto Books. You design it and well bind it! Bring words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail.
RE: [Veritas-bu] login as unix user
I got it, Thanks for all suppot, now i can get admin console with my login id . Yoseph "Brzozowski, Dwayne" <[EMAIL PROTECTED]> wrote: Yoseph, to get the admin console, edit the /usr/openv/java/auth.conf and add your login id to the beginnig of the last line, then add this ADMIN=ALL JBP=ALL. From the console/termal/remote_cde session of either the master, media servers. you type jnbSA and it will authenticate you login from the master. -djb Dwayne J. Brzozowski Department of Veterans Affairs Austin Automation Center Team Lead-Open Systems Support email:[EMAIL PROTECTED] phone:512-326-6728 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoseph LeleputraSent: Wednesday, January 18, 2006 6:09 AMTo: veritas-bu@mailman.eng.auburn.eduSubject: [Veritas-bu] login as unix userDear World, I hope there is someon! e who experienced with setting autority user at Solaris . How to set my user ( not root ) to get netbackup Administration Console . because now when i am login with my user i only get netbackup client Console even i login at master server I realy apreciate all advice . Thanks in advance Cheers Yoseph Yahoo! Photos Showcase holiday pictures in hardcoverPhoto Books. You design it and well bind it! Yahoo! Photos Showcase holiday pictures in hardcover Photo Books. You design it and well bind it!