[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netcool-users
Subject:    Re: Is Root Access Required For Micromuse HPOV ITO Probe
From:       jrg () acm ! org (James R Grinter)
Date:       1998-12-08 18:30:55
[Download RAW message or body]

On Tue 8 Dec, 1998, Jeff Allen <jra@corp.webtv.net> wrote:
>Rosenberg, Rich \(contractor\) wrote:
>> > 	My question is there a way around the probe needing root access to
>> > HP Open View.  Is there a security risk in allowing root access for the
>> > probe?  What steps can be taken to resolve this type of issue?

I don't use ITO, which is what you specifically mention, but I do know
that the NNM probe doesn't seem to need to run as root - at least not
on the set ups I've got here. Maybe, if your platform supports it, use
truss/trace/strace and see what actually causes a permission problem.

>this setup. In particular, I'd like to hear that a future version of
>trapd will check to see if it is being run setuid root and jettison
>it's privledges as soon as possible after doing the bind() call (nad

Agreed.  Actually, running things seteuid is going to become harder
because with 3.3 lots more things are dynamically linked and rely upon
the nco_probe helper script setting LD_LIBPATH, or equivalent, first.

(Incidentally, the 3.2.1 trapd probe behaves oddly under AIX if it is
running seteuid-root, and has problems writing to the
/var/adm/.trapd_seqno file.)

James.

[prev in list] [next in list] [prev in thread] [next in thread]