On 29/11/06, Wooton, Geoffrey (NESL-IT) <Geoffrey.Wooton@npower.com> wrote:
> The venerable Paul Mason wrote our routines to allow some 3rd party to run
> ingres commands.

Actually it was just an adaptation of Gordon Crossman's unix runjob.

> Only ingstop and ingstart, but I guess you could open this up if you so
> desired...
>

You could. If you search the google archives of this list for 1997 you
should find me asking about how to start ingres as a non-ingres user.
I eventually got it to work by changing permissions/ownership of a lot
of files after installing as ingres. It was ulgy though and I decided
not to do it that way.

> It was a c routine which changed the uid to root to allow a su to ingres
> without a prompt for the password. The commands allowed were hardcoded in
> the header file... and the routine did not exit into either root nor ingres
> and proved very useful and safe to use.

I'm not sure how safe it was. I was always nervous about it. Gordy
admitted to me that it was a compromise between security and
practicality.

> The header file and compilations were controlled by the ingres user so was
> controlled.
>
> Clever Lad this Paul Mason fella...

Well that may or may not be true but in this instance it wasn't
cleverness it was being backed into a corner.

It was a project where we were contractually obliged to provide
hardware for the software house building the application. However a
separate development server had been removed from the budget. They'd
been given a small old server to do the actual code writing on but
they weren't able to do meaningful testing on it.

The decision was taken to allow them space on the production server. I
fought this and lost. We set up a separate ingres installation and
tried to ring-fence it as much as possible. However one thing that we
needed to do was allow them a way to re-start ingres as their
application tended to crash or hang it.

Now there was no way I was giving them the ingres password but I
already got called out enough for real problems, I didn't fancy adding
to that to just ingstop/ingstart - so we wrote a couple of programs
that would start/stop ingres only in their installation.

They worked but I was always nervous that if someone really tried
there was a security hole there to exploit.

So in short - it was something we did but not something I'd recommend.

--
Paul Mason