"entstat" command fails under ordinary user
 
Home Help Login Register
*
Welcome, Guest. Please login or register. November 22, 2008, 12:31:33 AM


Login with username, password and session length


Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: "entstat" command fails under ordinary user  (Read 2127 times)
0 Members and 1 Guest are viewing this topic.
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #14 on: June 02, 2008, 03:03:21 PM »
Glad to be of assistance - and that the solution was so simple.
Logged
lambert
Jr. Member
**
Posts: 6
« Reply #13 on: June 02, 2008, 08:54:18 AM »
Hello Michael,

your idea to check the environment variable was correct. Ordinary user did not have set "ODMDIR" variable. After setting the "ODMDIR" to user's ".bash_profile" the "entstat" command replyed correctly.


Thank you very much for your help.
Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #12 on: May 30, 2008, 04:39:55 PM »
Well, the things that come to mind first are: what is the value for the environment variable ODMDIR for the user?

A couple of simple tests:

as user:

cd ${ODMDIR}
pwd # should be /etc/objrepos
cat CuDv >/tmp/CuDv
ls -l CuDv /tmp/CuDv

Files should be equal.

p.s. you could also have audit active as you do this.
Logged
lambert
Jr. Member
**
Posts: 6
« Reply #11 on: May 30, 2008, 11:25:36 AM »
Hello,

I think that this is definitelly the reason of problem:

Quote
aixmachine:/home/lneky> odmget CuDv
odmget:  Cannot open class CuDv
aixmachine:/home/lneky> odmshow CuDv
odmshow: Could not open class: CuDv,  status 5910
aixmachine:/home/lneky>

According to IBM error message guide in that case it is necessary to check the ODM database configuration. Unfortunately I have no clue how to do it.

The permissions in "/etc/objrepos", "/usr/lib/objrepos" and "/usr/share/lib/objrepos" are correct. I checked it comparing the bellow mentioned proposals as well as with other LPARs.

Please, do you have hint, how to check the ODM database configuration?

Thanks to all.
Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #10 on: May 29, 2008, 07:56:38 AM »
This is what I have.

Quote
michael@x054:[/] cd /etc/objrepos
michael@x054:[/etc/objrepos]ls -led . .. Cu*
drwxrwxr-x-   2 root     system         4096 Mar 23 16:35 .
drwxr-xr-x-  25 root     system        12288 May 28 10:13 ..
-rw-r--r---   1 root     system        20480 May 29 07:54 CuAt
-rw-r--r---   1 root     system         4096 May 29 07:54 CuAt.vc
-rw--------   1 root     system         4096 May 28 10:13 CuData
-rw--------   1 root     system         4096 May 28 10:13 CuData.vc
-rw-r--r---   1 root     system         4096 May 28 12:01 CuDep
-rw-r--r---   1 root     system        16384 May 29 07:50 CuDv
-rw-r--r---   1 root     system        36864 May 28 10:13 CuDvDr
-rw-r--r---   1 root     system         4096 May 29 04:06 CuPath
-rw-r--r---   1 root     system         4096 May 29 04:06 CuPath.vc
-rw-r--r---   1 root     system         4096 May 28 10:13 CuPathAt
-rw-r--r---   1 root     system         4096 May 28 10:13 CuPathAt.vc
-rw-r--r---   1 root     system        24576 May 29 04:06 CuVPD

A simple test, as regular user is simply: odmget CuDv (or any of the files without a . in their name in /etc/objrepos)
« Last Edit: May 29, 2008, 07:58:41 AM by Michael » Logged
John R Peck
Administrator
Senior Member
*****
Posts: 52
« Reply #9 on: May 28, 2008, 05:39:00 PM »

Sound like permissions on the ODM files maybe the cause.  Here's what I have:

chown  -hR  root.system  /etc/objrepos  /usr/lib/objrepos  /usr/share/lib/objrepos

chmod 775 /etc/objrepos  /usr/lib/objrepos
chmod 755 /usr/share/lib/objrepos

chmod 664 /etc/objrepos/*
chmod 644 /etc/objrepos/[CFMsT]*
chmod 660 /etc/objrepos/CuVPD
chmod 444 /etc/objrepos/raid_disp* /etc/objrepos/*lock
chmod 600 /etc/objrepos/u*

chmod 664 /usr/lib/objrepos/*
chmod 644 /usr/lib/objrepos/[DGPX]*
chmod 600 /usr/lib/objrepos/c*
chmod 444 /usr/lib/objrepos/*lock

chmod 664 /usr/share/lib/objrepos/*

Permissions on /etc must be OK, 755 root.system. 
Logged
lambert
Jr. Member
**
Posts: 6
« Reply #8 on: May 28, 2008, 03:32:48 PM »
Hello Michael,

I played little bit with "/etc/security/audit/config" and I got this:

Quote
Wed May 28 15:42:17 2008 PROC_Create     OK          lneky    bash                                    forked child process 2412694
Wed May 28 15:42:17 2008 PROC_Execute    OK          lneky    entstat                                 euid: 233 egid: 1 epriv: 0:0 name /usr/bin/entstat
Wed May 28 15:42:17 2008 FILE_Open       FAIL        lneky    entstat                                 flags: 0 mode: 0 fd: 4 filename CuDv
Wed May 28 15:42:17 2008 PROC_Delete     OK          lneky    entstat                                 exited child process 2412694

How can I resolve what is hidden under "CuDv" object class?


to John R Peck,
Unfortunately I am unable to run filemon successfuly under ordinary user, even if he is "system" group. It complains: 
Quote
ODM create failed.
I will make some more experiments. Maybe it will give more positive result. Anyway thanks for hint.
 
Logged
John R Peck
Administrator
Senior Member
*****
Posts: 52
« Reply #7 on: May 28, 2008, 11:14:29 AM »

If the audit isn't giving any info, try a filemon (trace) capture to report on the most active files, i.e. what it opens.
Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #6 on: May 27, 2008, 08:39:59 PM »
I added the following audit class:

Quote
process = PROC_Load,PROC_LoadMember,PROC_LoadError

change root, and the other user to read:

Quote
users:
        root = process
        testuser = process

Bin mode is fine. After running audit shutdown, use auditpr -v </audit/trail | more to view the results and compare the two. I suspect either something with the libraries, or the directory /etc/objrepos.

Not sure why permissions could be an issue - as the program is seteuid. Maybe /usr is mounted with a denial of seteuid permissions - but if so I would suspect more problems than just this.

p.s. you could consider adding FILE_Open to the process class depending on your comparisons.
Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #5 on: May 27, 2008, 07:47:53 PM »
Not most recent - more a heads up that it might be difficult to reinstall the same level. Only if you still have say - ML03 Cd's and the update files.

I'll look into the proper setup for audit for this command, or something else.

lppchk of the fileset, or the complete system will probably come up clean, but it is something else you could verify.

Another command that can return surprising results:
Quote
instfix -ciqk 5300-04_AIX_ML | grep :+:

Another command I am interested in is:
Quote
netstat -v
« Last Edit: May 27, 2008, 07:53:36 PM by Michael » Logged
lambert
Jr. Member
**
Posts: 6
« Reply #4 on: May 27, 2008, 02:23:11 PM »
Thanks for response, just I think the discussion moves to wrong direction. I agree that system is not the most recent.

Quote
aixmachine:/> instfix -i |grep AIX
    All filesets for 5.3.0.0_AIX_ML were found.
    All filesets for 5300-01_AIX_ML were found.
    All filesets for 5300-02_AIX_ML were found.
    All filesets for 5300-03_AIX_ML were found.
    All filesets for 5300-04_AIX_ML were found.
aixmachine:/>

But on same hardware we have three more LPARs with the same oslevel and nearly the exact same configuration. The "entstat" command was full functional untill the middle of May. On other LPARs of mentioned server this command is still working properly.

The "/etc/security/audit/config" configuration file is set either. The auditing is switched on and the "stream.out" file is filled with audit records. Audit classes for "root" and "user" are following:
Quote
        default = logins,accounts,objects,system,tcpip,src,files,devices,kernel,cron,mail,lvm
        root = logins,accounts,objects,system,tcpip,src,files,devices,kernel,cron,mail,lvm

I want to highlight the fact that executing the command by user do not result error.  Maybe, this is the first part of way to solve it.

Thanks.

Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #3 on: May 27, 2008, 01:37:26 PM »
Auditing requires some configuration. If you dont know how that is done, it will come up blank.

From your fileset level I place your Technology Level at 4 - which is > two years old.

Quote
oslevel -s
will tell you what level your system is at.

Quote
instfix -i | grep AIX
will list levels AIX knows about.

A forced reinstall might restore the system. Make sure you have a current backup before you start adjustig software (settings) further.
Logged
lambert
Jr. Member
**
Posts: 6
« Reply #2 on: May 27, 2008, 10:26:42 AM »
Hello,

current level version:

Quote
aixmachine:/> lslpp -L devices.common.IBM.ethernet.rte
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  devices.common.IBM.ethernet.rte
                            5.3.0.41    A     F    Common Ethernet Software



The auditing is switched on. No reaction is inserted into the "stream.out" when launching the "entstat" command by "root" neither ordinary user.
Strange is that it doesn't show even error message about missing device, or wrong permissions. Just empty result.

Do you think, that simple reinstall of the "entstat" package could solve this problem?

Thanks in advance.
Logged
Michael
Administrator
Hero Member
*****
Posts: 526
« Reply #1 on: May 26, 2008, 07:10:52 PM »
Well, I see from your date that you are not at a recent 5.3 level - or is this AIX 5.2?

Quote
# ls -l /usr/sbin/entstat
-r-sr-xr-x   1 root     bin           29844 Sep 11 2007  /usr/sbin/entstat

# lslpp -L  devices.common.IBM.ethernet.rte
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  devices.common.IBM.ethernet.rte
                             5.3.7.0    C     F    Common Ethernet Software

And what level is installed on other systems?

One way to resolve it might be to force a reinstall of the fileset. A way to debug it would be to activate auditing and see what file or directory, if any, is blocked to a non-root user. Or, try comparing audit logs between a regular user, and root user.
Logged
lambert
Jr. Member
**
Posts: 6
« on: May 26, 2008, 11:46:05 AM »
The "entstat" command works properly when entered by "root". In case that the "entstat" is run by ordinary user (staff, system, sys groups member) the response is empty. On other LPARs this trouble does not exist.

aixmachine:/root> ls -al /usr/sbin/entstat
-r-sr-xr-x   1 root     bin           29556 Feb 02 2006  /usr/sbin/entstat
aixmachine:/root>

Do you have any idea how to solve this problem?
Thanks to all.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 0.67 seconds with 19 queries.

FastPath

HowTo
New in AIX6
RBAC
Security
WPAR
Service Bulletins

InfoCenters

AIX 6.1
AIX 5.3
AIX 5.2
AIX 5.1
- - - - - - -
HMC Downloads
IBM Firmware/LIC
VIOS Support
- - - - - - -
Hardware Documents
PowerHA (HACMP)
Tivoli Manuals
- - - - - - -
IBM Training



eXTReMe Tracker
Terms of Use and Privacy and Security Policies
Copyright 2001-2008 Michael Felt and ROOTVG.NET