Hello Sun-Managers:
Man, this list is terrific!!!!
I got TONS of replies to my question about restricting root access while
allowing rdumps by roots crontab.
---------------------- Original question -------------------------------
Configuration:
--------------
three Sparc 2 and two Sparc 1 machines, all on the same piece of
thinnet.
A Sparc 2 is the NIS master and dump host.
Problem:
--------
How to do a remote dump from a root cron job while restricting root
access. Basically I want to back up all the Sparcs using:
rsh <hostname> rdump <dumphost>
and do this from the dumphost via roots cron job.
BUT:
---- I would like to restrict root logins to the Sparcs to users who have the root passwords on the various machines, that is I do not want users on machine A becoming root and logging in as root on user B's machine, by typing rsh <hostname> or rlogin <hostname>.So the question is: ------------------ Is there a way to restrict root logins ( via .rhosts and /etc/hosts.equiv OR whatever ) to users with the root password but at the same time allow rsh to do rdumps from a cron job ?
The cron job in question is part of roots cron jobs that run every night. The problem comes when restricting logins by root. It seems that a process has to have roots UID in order to open the disk device in order to do an rdump and of course if you restrict root access the rdump fails.
Does anyone have a solution ? I have gotten really good solutions to my other recent posts, and am hoping for more of the same.
I hope I have given enough and the right info here. Please let me know if I need to give more or more specific info to allow a solution. -------------------------------------------------------------------------
The replies broke down into 6 different suggestions:
1) do the dumps as operator or someone in the operator group. 2) set nosecure on the /etc/ttys and get have the operator group do the dump. 3) allowing the individual machines to initiate the dump to the tapehost instead of the tapehost initiating the dump. 4) have a script copy a .rhosts file to / which would allow the remote dump and then rm the .rhosts file after and replace with the "secure" .rhosts file. 5) run dump as rsh rdump dumpuser@dumphost 6) buy a third party backup utility ( What ?!!! spend money ?!! )
The outcome: I opted for solution number 1. I simply had the group "operator" submit a cron job that does the backups every night. As several people pointed out the disk devices in /dev allow read by the group operator. This solution allows restriction of the root access but still accomplishes the backup with no problems or complaints from rsh. I had considered this before posting to the list, but I wanted to see if there was a way for the root cron job to accomplish the dump while restricting root logins.
solution 2 would have meant that rsh by anyone would require a password which is not feasible for some users who need to jump from machine to machine. solution 3 and 4 and 6 I wanted to avoid, and solution 5 just did not work from the root cronjob.
So once again thank you to all that took the time to reply, your names are listed below, if I have not included someone who replied, it is because I had not gotten your mail when I posted this summary.
If anyone wants the replies in their entirety let me know and I will mail them to you, it is about 54K.
Larry Chin {larry@cch.com}
----------------------------------------------------------------------
Nick Ayoub <nicky@davinci.concordia.ca> atom.cs.utah.edu!yih@hellgate.utah.edu (Benny Yih) katkam@fuwutai.att.com casper@fwi.uva.nl (Casper H.S. Dik) VINCE%UCONNVM@uunet.UU.NET Adam W. Feigin <feigin@iis.ethz.ch> exuksm@exu.ericsson.se (Karl Morgan) C.Eagle@massey.ac.nz Tony Martindale <tony@rata.vuw.ac.nz> rjq@phys.ksu.edu (Rob Quinn) sjh@helicon.math.purdue.edu Dieter Muller <dworkin@merlin.rootgroup.com> Brian Bartholomew - bb@math.ufl.edu John D. Barlow" <John.D.Barlow@arp.anu.edu.au> Jay Plett <jay@princeton.edu> aldrich@sunrise.stanford.edu (Jeff Aldrich) Mike Raffety <miker@sbcoc.com> Perry_Hutchison.Portland@xerox.com mwallen@ucsd.edu macphed@dvinci.USask.CA macphedran@sask.USask.CA Bill Unruh unruh@physics.ubc.ca Eckhard.Rueggeberg@ts.go.dlr.de bernards@ECN.NL (Marcel Bernards) eeimkey@eeiua.ericsson.se (Martin Kelly) matt@wbst845e.xerox.com (Matt Goheen) mailrus!gatech!mit-eddie!proteon.com!gpr@uunet.UU.NET (Gary Richardson) rich@gpsemi.COM (Richard Bogusz x2895) jimh@nsd.fmc.com (Jim Hendrickson x7348 M233) msd@sharpwa.com (Mark Deason) Dave Mitchell <D.Mitchell@dcs.sheffield.ac.uk> T.D.Lee@durham.ac.uk Andie Ness <andie@cstr.ed.ac.uk> derek@nexus.ca (Derek Mallard) mojo@caere.com (Morris Jones)
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:40 CDT