Greetings all,
I'm in the process of upgrading to 9.5 from 9.0.0.7 and I want to take advantage of the one new feature I've read about, but I can't seem to find the right documentation about it. I've read about (and heard at IBM road shows) about installing/configuring/running CMOD as a non-root user (such as ODADMIN, Admin, etc)
Correct me if I am wrong, but are these steps correct?:
1) Install CMOD as root
2) Configure CMOD (arsdb/arssycr, etc..) as root
3) Run ARSSOCKD as whatever user I would like
Am I right, or completely wrong? Thanks in advance as always folks!
The install instructions should guide you through a non-root install, since it's now the default.
Step 2 in your process should be completed as your non-root user.
Depending on how paranoid you want to be, you can restrict access to those configuration files, so that the user can't change them.
-JD.
Some additional points knowing where jsquizz is coming from. On the server where CMOD was installed as root, all of the caches (cache only) have root permissions. (rwx------ root sysadm1). Installing as another user is the easy part. The only users with local accounts are admins anyway. It would seem to me that a chmod or even chown recursive would have to be issued against the cache systems. The other issue comes with ingestion side processing where utilities such as arsload, arsdoc are wrappered in python and create files for loading. Those files are now created with root, that would have to changed. Basically, all of the ingestion side permissions would have to be matched to the new userid being used by CMOD. Some thought given also as to management by groupid or userid.
-walt
Quote from: jsquizz on May 12, 2016, 02:25:06 PM
Greetings all,
I'm in the process of upgrading to 9.5 from 9.0.0.7 and I want to take advantage of the one new feature I've read about, but I can't seem to find the right documentation about it. I've read about (and heard at IBM road shows) about installing/configuring/running CMOD as a non-root user (such as ODADMIN, Admin, etc)
Correct me if I am wrong, but are these steps correct?:
1) Install CMOD as root
2) Configure CMOD (arsdb/arssycr, etc..) as root
3) Run ARSSOCKD as whatever user I would like
Am I right, or completely wrong? Thanks in advance as always folks!
Hello,
Does your current CMOD runs with root? I mean, you run ARSSOCKD with root? And you want to run it with a non root user?
If that what you mean, then this functionality exists since CMOD 7.X at least.
And to convert from root to non-root is not trivial, but can be done simply.
What CMOD V9.5 is to be able to install CMOD without being root, and this is NOT the same as running CMOD as non-root (which is possible since at least 10-15 years).
So what is your precise question again?
I think there is some confusion on my end.
The new feature that was added to 9.5 was to INSTALL/CONFIGURE ondemand as a non-root user.
Correct me if I'm wrong 8) 8)
It's been a *supported* configuration since 7.x -- I'll have to try it out, the next chance I get. ;)
-JD.
Quote from: Justin Derrick on June 07, 2016, 06:16:43 PM
It's been a *supported* configuration since 7.x -- I'll have to try it out, the next chance I get. ;)
-JD.
I meant using CMOD with a non root CMOD instance owner!! :-)
NOT installing with a non-root user :-D
this topic could be confusing sometimes!! lol
Whats the actual benefit of installing as a non-root user? Not having to bug your system admins?
It's a security thing. Non-root installations mean that if there's a remote exploit discovered for CMOD that the hacker doesn't get full control over the server -- to run anything, read anything, do anything, etc.
It also helps achieve the goal of 'compartmentalization', where different pieces (DB2 admin, CMOD admin, TSM admin) all have their own environments to run in, and can be moved to remote systems if need be, or managed separately, without having to entrust a single user with total and complete control over EVERYTHING.
-JD.