----- Original Message -----
From: "Pat Welch" <patubb@inreach.com>
Newsgroups: comp.unix.sco.misc
To: <distro@jpr.com>
Sent: Thursday, March 27, 2008 7:30 PM
Subject: Re: user permission problems
> andrewm659@gmail.com wrote:
>> The asroot utility is setup. But its not working for the right
>> people.
>>
>>
>> On Mar 27, 11:37 am, ThreeStar <s...@3starsoftware.com> wrote:
>>> On Mar 27, 6:44 am, "andrewm...@gmail.com" <andrewm...@gmail.com>
>>> wrote:
>>>
>>>> I seem to be having some trouble with OpenServer 5.0.6. I need to be
>>>> able to give permission to other users to do various tasks on the
>>>> system, such as kill users and add and remove users and printers. I
>>>> set them up in the tcb and copied the kill command to their home dir.
>>>> When they go to hit 'w' for the who command, it only shows them as
>>>> logged in. I'm not sure why. Could you please help?
>>> I can't tell from your description what you're doing. Are you trying
>>> to set up the "asroot" utility?
>>>
>>> --RLR
>>
>
> Here's my handy dandy asroot cookbook - see if you missed some steps:
>
> 1) If you have special purpose logins to do things requiring root
> permissions, make the special logins ".profile" read something like:
>
> :
> exec /tcb/bin/asroot <program name>
>
> Note you should put any commands in a shell script so asroot can execute
> it with root perms, and you can add sanity tests to prevent things like
> rm -r * while in / 
).
>
> 2) Create a symbolic link from the script/command to the dir
> "/tcb/files/rootcmds", like (if you make a kill script called "kill_it"):
>
> ln -s /usr/local/bin/kill_it /tcb/files/rootcmds
>
> 3) Add the script name to the file "/etc/auth/system/authorize" at the
> root line, like:
>
> root:shutdown,kill_it
>
> 4) Give the users root auth via scoadmin:
>
> scoadmin > account manager, select user then: Users > Authorizations
>
> add root and the special scripts like "kill_it' to the users that will
> use the scripts.
>
> I also found the man docs on asroot clear as mud when I first
> encountered it after switching to SCO from AT&T Unix back in the early 90's.
>
> The above cookbook took me more hours of WTF's and other colorful
> phrases one afternoon than I would care to admit to.
>
similarly
http://groups.google.com/group/comp....68b628fc3a4938 http://groups.google.com/group/comp....353cce2082a8fb
Though I never actually used asroot for kill in production anywhere.
I mostly used it to give users the ability to do manual tape backups.
I wonder why I have fixmog as a final step? Probably just to ensure the perms on the copied binary.
Which, I'm sure I read somewhere that you should copy the binary not link it, else i would always prefer to link it too.
Maybe the symlink provides a means to side-step the very security you are trying to maintain?
I don't know how, but, if you are using symlinks and it works, then the only reason I could see not to do it was some security concern.
--
Brian K. White
brian@aljex.com http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!