From: Russell Page (russellpage@hotmail.com)
Date: Fri Jun 24 2005 - 02:29:23 EDT
Most of the systems I look after are tightly locked down, and sit on the
perimeter of a highly sensitive network. Various apps running on them
include firewalls, proxy servers, and virus scanners. The apps are managed
by a small group of security engineers, who for various reasons need root
access. We are based Australia.
A previous employee created a Jumpstart environment, that among other things
installed sudo and bash.
When we switched to Solaris 8 a couple of years ago, I built a new Jumpstart
environment, but essentially kept the user environments the same so as not
the cause users too much pain.
All user shells, and the default root shell are set to bash. All kinds of
weird things are set up through a byzantine maze of global initialization
files. For instance, "rm, cp, and mv" are aliases and the umask for everyone
is set to 0077 (no sharing). Some of these systems have managed to end up
running in the en_AU locale, where apparently RE's and string matches are
case insensitive.
As a consequence of these facts we end up with an environment that tends to
break installation and patch scripts. Often it is not always obvious what
has gone wrong, and why. The latest thing to break was the installation
script that comes with IWSS from TrendMicro.
Here is how I fixed it:
1. I created an account called "install". Here is the configuration:
----snip--------snip--------snip--------snip--------snip----
# grep install /etc/passwd /etc/shadow
/etc/passwd:install:x:0:1::/opt/export_home/install:/usr/bin/sh
/etc/shadow:install:*LK*:::::365::
# cat /opt/export_home/install/.profile
LANG="C" export LANG
umask 0022
#
----snip--------snip--------snip--------snip--------snip----
2. I ran "sudo su - install" to get a shell.
3. I then ran the Trend install script.
4. Voila! a flawless installation!
Notes:
In case you didn't notice, this is an alias for root.
Because the password is locked, "su - install" won't work. If you don't
have, and don't want sudo (you should have it, and you do need it!) then you
need to give the account a password. I suggest you do this immediately
before you use it, and then immediately lock it when you have finished with
it.
If you want a quiet and normal life (thanks Warren Zevon) then stick with
the bourne shell for this account. It's not going to suck in any weird
aliases.
You should also use this environment when you are installing patches. The
(relatively) permissive umask will kill those pesky "checkinstall" failures.
If I was doing this from scratch I just wouldn't touch the root environment
at all and none of these problems would arise. However I have to run with
the culture I inherited from my predecessor.
-- Russell Page.
Certified Solaris Network Administrator
Metaphors be with you.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:57 EDT