Dop show

How to allow an ordinary user to executed an application or a script with the extended privileges or even as a root user? Having a strong Linux/BSD background the very first option that would come to my mind is – sudo. Solaris is more flexible in that regard due to the presence of RBAC. But what about TRU64? Since I’m not very fluent with it I turned my eyes to Google and typed something like “tru64 sudo”. Thankfully, I came to a forum where a poster was in a similar situation striving for a sudo binary for tru64 platform. But the final comment in this thread mentioned dop as an officially supported way. Hm, that rang a bell.

dop – Allows a user to execute a privileged program without knowing the root password. The dop command also modifies the action database.

That’s looked promising and it turned out to be very easy to configure. My goal was to give an oes user a right to start Oracle Express server, which, for some strange reason, had been configured in a wacky way that only root user was able to start it up.

Back to dop configuration steps. The easiest way is to do everything from “sysman dopconfig” menu driven interface but since the list of built-in privileges wasn’t sufficient some manual intervention was inevitable.
Actually, there is already a built-in privilege called “SystemManagement” but from it’s description:

SystemManagement privilege allows configuration of kernel facilities such as kernel build, shutdown, cfgmgr, system services start/stop, and software asset management

it obvious that the list of rights is too broad. Not a big deal, because one could modify /etc/doprc file, presumably with vi editor, and add a privilege he/she likes. In my case, I added a new entry to /etc/doprc and named it OracleExpressManagement:

OracleExpressManagement {
        {description    { OracleExpressManagement privilege allows to start/stop Oracle Express Server}}
}

Next, with the help of /usr/sbin/dop utility I added a new action to the dop database:

dop -a OracleExpressManagement oracle_express "/sbin/init.d/express *"

If you look at /etc/doprc you would notice a new record added to the end of _Action section:

oracle_express {
            {privs {OracleExpressManagement}}
            {path {/sbin/init.d/express *}}
        }

The last step, is to add our user to a list of who is allowed to run a dop action (oracle_express). This could be achieved in two ways: through sysman dopconfig and, again, by editing /etc/doprc. Whatever approach you prefer the net outcome would be the same – /etc/doprc will be updated slightly:

OracleExpressManagement {
        {users  { oes }}
        {description    { OracleExpressManagement privilege allows start/stop }}
}

That’s it and from now on oes user could run a simple command to start/stop Oracle Express:

/usr/sbin/dop oracle_express start
/usr/sbin/dop oracle_express stop

P.S. I used HP-UX tag purely because now TRU64 is in HP’s hands.

Posted on April 23, 2010 at 9:58 am by sergeyt · Permalink
In: HP-UX

Leave a Reply