At my previous company, we ran Remedy as root, but
we as administrators and developers had no access
as root. Just to view log files we had to call
our operations department to grant access. The
one work around was that a clever developer wrote
an active link that allowed us to type a command
(i.e. chmod 777 /usr/ar/db/*.log) and it would be
passed to a run process. A huge security hole I
know. We used it sparingly.

I my current company we run Remedy as non root and
we developers have full access to the system. I
like this way better. Although still dangerous
for the inexperienced, at least we are only
dangerous to ourselves and our product, not all
the other applications on that server.

Steve McDonald
Remedy Applications Programmer
Choice Hotels International


-----Original Message-----
From: Action Request System discussion
list(ARSList)
[mailto:ARSLIST@LISTSERV.VISTAIT.COM]On Behalf Of
Jonathan Cantu
Sent: 17 May 2000 15:33
To: ARSLIST@LISTSERV.VISTAIT.COM
Subject: Running ARS as 'root'


Does anyone out there do this in a production
environment? I see lots of
potential problems doing it this way, Remedy
admins could run processes as
root from Filters.

How is it typically setup to run in a UNIX
environment? Do you create a
user account - say 'aradmin' to run this process
under? How is it setup in
the UNIX init file so that it starts up under a
user account other than
root? Thanks in advance.


Jonathan


Unsubscribe to: Text is: unsubscribe arslist

to add the command 'su - arsysu' at the beginning of the script.

The init file are still started by root but the AR Server is started by
arsysu

Patrick

-----Original Message-----
From: Action Request System discussion
list(ARSList)
[mailto:ARSLIST@LISTSERV.VISTAIT.COM]On Behalf Of
Jonathan Cantu
Sent: 17 May 2000 15:33
To: ARSLIST@LISTSERV.VISTAIT.COM
Subject: Running ARS as 'root'


Does anyone out there do this in a production
environment? I see lots of
potential problems doing it this way, Remedy
admins could run processes as
root from Filters.

How is it typically setup to run in a UNIX
environment? Do you create a
user account - say 'aradmin' to run this process
under? How is it setup in
the UNIX init file so that it starts up under a
user account other than
root? Thanks in advance.


Jonathan


Unsubscribe to: Text is: unsubscribe arslist


Unsubscribe to: Text is: unsubscribe arslist

P

-=-=-=-=-=-=-=-=-=-=-=-
Peter J. Milanese
Senior System Architect
-=-=-=-=-=-=-=-=-=-=-=-
Globix Corporation HQ
139 Centre Street
New York, NY 10013
peterm@globix.net
1 (212) 334-8571

On Fri, 19 May 2000, Patrick Chemel wrote:

> we created a UNIX user account (arsysu) and me modified the arsystem script
> to add the command 'su - arsysu' at the beginning of the script.
>
> The init file are still started by root but the AR Server is started by
> arsysu
>
> Patrick
>
> -----Original Message-----
> From: Action Request System discussion
> list(ARSList)
> [mailto:ARSLIST@LISTSERV.VISTAIT.COM]On Behalf Of
> Jonathan Cantu
> Sent: 17 May 2000 15:33
> To: ARSLIST@LISTSERV.VISTAIT.COM
> Subject: Running ARS as 'root'
>
>
> Does anyone out there do this in a production
> environment? I see lots of
> potential problems doing it this way, Remedy
> admins could run processes as
> root from Filters.
>
> How is it typically setup to run in a UNIX
> environment? Do you create a
> user account - say 'aradmin' to run this process
> under? How is it setup in
> the UNIX init file so that it starts up under a
> user account other than
> root? Thanks in advance.
>
>
> Jonathan
>
>
> Unsubscribe to: Text is: unsubscribe arslist
>
>
> Unsubscribe to: Text is: unsubscribe arslist
>


Unsubscribe to: Text is: unsubscribe arslist

restricted user for it to run under. This is what our sysadmin did to
set it up:

- chown -R remedy:remedy /usr/ar/*
- chown -R root:root /usr/ar/bin
- chmod 755 /usr/ar/bin/*
- chown -R remedy:remedy /usr/spool/remedy
- writing an arsystem init script wrapper that runs to main arsystem script
as the remedy user
- removing /dev/console references from the arsystem init script

There might be some other file that we had to change that I've missed
mentioning here, but that gets the bulk of it. We also have a group
'remedy' that all of our developers are members of, and that helps a
lot.

Cheers,
Emma
--
Emma Kolstad Antunes Raytheon ITSS
NASA Goddard Space Flight Center
Code 290, Greenbelt, MD 20771 (301) 286-1377 | 286-1723 Fax


Unsubscribe to: Text is: unsubscribe arslist

http://supportweb.remedy.com/supportweb/Documentation/PDF/technotes/doc1057.
pdf
.pdf>

We run it in our production and development enviroments, works great! You
can of course install it as non-root at the start, set

ARNONROOTINSTALL=TRUE; export ARNONROOTINSTALL


-----Original Message-----
From: Emma Kolstad Antunes
[mailto:emma@SLED.GSFC.NASA.GOV]
Sent: 19 May 2000 21:17
To: ARSLIST@LISTSERV.VISTAIT.COM
Subject: Re: Running ARS as 'root']

Because running as root is such a security risk, we created
a
restricted user for it to run under. This is what our
sysadmin did to
set it up:

- chown -R remedy:remedy /usr/ar/*
- chown -R root:root /usr/ar/bin
- chmod 755 /usr/ar/bin/*
- chown -R remedy:remedy /usr/spool/remedy
- writing an arsystem init script wrapper that runs to main
arsystem script
as the remedy user
- removing /dev/console references from the arsystem init
script

There might be some other file that we had to change that
I've missed
mentioning here, but that gets the bulk of it. We also have
a group
'remedy' that all of our developers are members of, and that
helps a
lot.

Cheers,
Emma
--
Emma Kolstad Antunes Raytheon ITSS
NASA Goddard Space Flight Center

Code 290, Greenbelt, MD 20771 (301) 286-1377 |
286-1723 Fax


Unsubscribe to: Text is:
unsubscribe arslist


Unsubscribe to: Text is: unsubscribe arslist