|
Title: "entstat" command fails under ordinary user Post by: lambert on May 26, 2008, 11:46:05 AM The "entstat" command works properly when entered by "root". In case that the "entstat" is run by ordinary user (staff, system, sys groups member) the response is empty. On other LPARs this trouble does not exist.
aixmachine:/root> ls -al /usr/sbin/entstat -r-sr-xr-x 1 root bin 29556 Feb 02 2006 /usr/sbin/entstat aixmachine:/root> Do you have any idea how to solve this problem? Thanks to all. Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 26, 2008, 07:10:52 PM Well, I see from your date that you are not at a recent 5.3 level - or is this AIX 5.2?
Quote # ls -l /usr/sbin/entstat -r-sr-xr-x 1 root bin 29844 Sep 11 2007 /usr/sbin/entstat # lslpp -L devices.common.IBM.ethernet.rte Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- devices.common.IBM.ethernet.rte 5.3.7.0 C F Common Ethernet Software And what level is installed on other systems? One way to resolve it might be to force a reinstall of the fileset. A way to debug it would be to activate auditing and see what file or directory, if any, is blocked to a non-root user. Or, try comparing audit logs between a regular user, and root user. Title: Re: "entstat" command fails under ordinary user Post by: lambert on May 27, 2008, 10:26:42 AM Hello,
current level version: Quote aixmachine:/> lslpp -L devices.common.IBM.ethernet.rte Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- devices.common.IBM.ethernet.rte 5.3.0.41 A F Common Ethernet Software The auditing is switched on. No reaction is inserted into the "stream.out" when launching the "entstat" command by "root" neither ordinary user. Strange is that it doesn't show even error message about missing device, or wrong permissions. Just empty result. Do you think, that simple reinstall of the "entstat" package could solve this problem? Thanks in advance. Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 27, 2008, 01:37:26 PM Auditing requires some configuration. If you dont know how that is done, it will come up blank.
From your fileset level I place your Technology Level at 4 - which is > two years old. Quote oslevel -s will tell you what level your system is at.Quote instfix -i | grep AIX will list levels AIX knows about.A forced reinstall might restore the system. Make sure you have a current backup before you start adjustig software (settings) further. Title: Re: "entstat" command fails under ordinary user Post by: lambert on May 27, 2008, 02:23:11 PM Thanks for response, just I think the discussion moves to wrong direction. I agree that system is not the most recent.
Quote aixmachine:/> instfix -i |grep AIX All filesets for 5.3.0.0_AIX_ML were found. All filesets for 5300-01_AIX_ML were found. All filesets for 5300-02_AIX_ML were found. All filesets for 5300-03_AIX_ML were found. All filesets for 5300-04_AIX_ML were found. aixmachine:/> But on same hardware we have three more LPARs with the same oslevel and nearly the exact same configuration. The "entstat" command was full functional untill the middle of May. On other LPARs of mentioned server this command is still working properly. The "/etc/security/audit/config" configuration file is set either. The auditing is switched on and the "stream.out" file is filled with audit records. Audit classes for "root" and "user" are following: Quote default = logins,accounts,objects,system,tcpip,src,files,devices,kernel,cron,mail,lvm root = logins,accounts,objects,system,tcpip,src,files,devices,kernel,cron,mail,lvm I want to highlight the fact that executing the command by user do not result error. Maybe, this is the first part of way to solve it. Thanks. Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 27, 2008, 07:47:53 PM Not most recent - more a heads up that it might be difficult to reinstall the same level. Only if you still have say - ML03 Cd's and the update files.
I'll look into the proper setup for audit for this command, or something else. lppchk of the fileset, or the complete system will probably come up clean, but it is something else you could verify. Another command that can return surprising results: Quote instfix -ciqk 5300-04_AIX_ML | grep :+: Another command I am interested in is: Quote netstat -v Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 27, 2008, 08:39:59 PM I added the following audit class:
Quote process = PROC_Load,PROC_LoadMember,PROC_LoadError change root, and the other user to read:Quote users: root = process testuser = process Bin mode is fine. After running audit shutdown, use auditpr -v </audit/trail | more to view the results and compare the two. I suspect either something with the libraries, or the directory /etc/objrepos. Not sure why permissions could be an issue - as the program is seteuid. Maybe /usr is mounted with a denial of seteuid permissions - but if so I would suspect more problems than just this. p.s. you could consider adding FILE_Open to the process class depending on your comparisons. Title: Re: "entstat" command fails under ordinary user Post by: John R Peck on May 28, 2008, 11:14:29 AM If the audit isn't giving any info, try a filemon (trace) capture to report on the most active files, i.e. what it opens. Title: Re: "entstat" command fails under ordinary user Post by: lambert on May 28, 2008, 03:32:48 PM Hello Michael,
I played little bit with "/etc/security/audit/config" and I got this: Quote Wed May 28 15:42:17 2008 PROC_Create OK lneky bash forked child process 2412694 Wed May 28 15:42:17 2008 PROC_Execute OK lneky entstat euid: 233 egid: 1 epriv: 0:0 name /usr/bin/entstat Wed May 28 15:42:17 2008 FILE_Open FAIL lneky entstat flags: 0 mode: 0 fd: 4 filename CuDv Wed May 28 15:42:17 2008 PROC_Delete OK lneky entstat exited child process 2412694 How can I resolve what is hidden under "CuDv" object class? to John R Peck, Unfortunately I am unable to run filemon successfuly under ordinary user, even if he is "system" group. It complains: Quote ODM create failed. I will make some more experiments. Maybe it will give more positive result. Anyway thanks for hint.Title: Re: "entstat" command fails under ordinary user Post by: John R Peck on May 28, 2008, 05:39:00 PM Sound like permissions on the ODM files maybe the cause. Here's what I have: chown -hR root.system /etc/objrepos /usr/lib/objrepos /usr/share/lib/objrepos chmod 775 /etc/objrepos /usr/lib/objrepos chmod 755 /usr/share/lib/objrepos chmod 664 /etc/objrepos/* chmod 644 /etc/objrepos/[CFMsT]* chmod 660 /etc/objrepos/CuVPD chmod 444 /etc/objrepos/raid_disp* /etc/objrepos/*lock chmod 600 /etc/objrepos/u* chmod 664 /usr/lib/objrepos/* chmod 644 /usr/lib/objrepos/[DGPX]* chmod 600 /usr/lib/objrepos/c* chmod 444 /usr/lib/objrepos/*lock chmod 664 /usr/share/lib/objrepos/* Permissions on /etc must be OK, 755 root.system. Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 29, 2008, 07:56:38 AM This is what I have.
Quote michael@x054:[/] cd /etc/objrepos michael@x054:[/etc/objrepos]ls -led . .. Cu* drwxrwxr-x- 2 root system 4096 Mar 23 16:35 . drwxr-xr-x- 25 root system 12288 May 28 10:13 .. -rw-r--r--- 1 root system 20480 May 29 07:54 CuAt -rw-r--r--- 1 root system 4096 May 29 07:54 CuAt.vc -rw-------- 1 root system 4096 May 28 10:13 CuData -rw-------- 1 root system 4096 May 28 10:13 CuData.vc -rw-r--r--- 1 root system 4096 May 28 12:01 CuDep -rw-r--r--- 1 root system 16384 May 29 07:50 CuDv -rw-r--r--- 1 root system 36864 May 28 10:13 CuDvDr -rw-r--r--- 1 root system 4096 May 29 04:06 CuPath -rw-r--r--- 1 root system 4096 May 29 04:06 CuPath.vc -rw-r--r--- 1 root system 4096 May 28 10:13 CuPathAt -rw-r--r--- 1 root system 4096 May 28 10:13 CuPathAt.vc -rw-r--r--- 1 root system 24576 May 29 04:06 CuVPD A simple test, as regular user is simply: odmget CuDv (or any of the files without a . in their name in /etc/objrepos) Title: Re: "entstat" command fails under ordinary user Post by: lambert on May 30, 2008, 11:25:36 AM Hello,
I think that this is definitelly the reason of problem: Quote aixmachine:/home/lneky> odmget CuDv odmget: Cannot open class CuDv aixmachine:/home/lneky> odmshow CuDv odmshow: Could not open class: CuDv, status 5910 aixmachine:/home/lneky> According to IBM error message guide in that case it is necessary to check the ODM database configuration. Unfortunately I have no clue how to do it. The permissions in "/etc/objrepos", "/usr/lib/objrepos" and "/usr/share/lib/objrepos" are correct. I checked it comparing the bellow mentioned proposals as well as with other LPARs. Please, do you have hint, how to check the ODM database configuration? Thanks to all. Title: Re: "entstat" command fails under ordinary user Post by: Michael on May 30, 2008, 04:39:55 PM Well, the things that come to mind first are: what is the value for the environment variable ODMDIR for the user?
A couple of simple tests: as user: cd ${ODMDIR} pwd # should be /etc/objrepos cat CuDv >/tmp/CuDv ls -l CuDv /tmp/CuDv Files should be equal. p.s. you could also have audit active as you do this. Title: Re: "entstat" command fails under ordinary user Post by: lambert on June 02, 2008, 08:54:18 AM Hello Michael,
your idea to check the environment variable was correct. Ordinary user did not have set "ODMDIR" variable. After setting the "ODMDIR" to user's ".bash_profile" the "entstat" command replyed correctly. Thank you very much for your help. Title: Re: "entstat" command fails under ordinary user Post by: Michael on June 02, 2008, 03:03:21 PM Glad to be of assistance - and that the solution was so simple.
|