One more thing ((c) 2010).

It is a TOTAL pain in that with ISM you have to be root to run the
backup commands.
The root user round here is under tighter security than a very nervous
camel's backside in a very powerful sandstorm. They are really NOT
happy about adding anything to root cron or 'at' or into their
imprenetrable schedule, and database backups don't register much if at
all on their 'things we want/need/have to do' radar.
Is there any way at all of allowing the informix user to run the
backup commands without ISM triggering the "07/27/10 10:15:41 savegrp:
You are not authorized to run this command" error? It basically means
that no bootstrap file can be created if user informix runs the
backups (whether database ot logical log)


Ta

"Malc" <iiug (AT) perrior (DOT) net> wrote

sudo?

On Jul 27, 4:02*pm, "Neil Truby" <neil.tr... (AT) ardenta (DOT) com> wrote:
Needs to be non-interactive and we don't want to hardcode passwords
anywhere...

On 27/07/2010 16:02, Neil Truby wrote:
suid?

--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

Sudo works. We do that here with people who have to do some simple maintenance work. The only word of caution is to be careful how you log their sessions because it can really kill performance if you have an i/o bottleneck.


__________________________________________________ _______________
The New Busy is not the old busy. Search, chat and e-mail from your inbox..
http://www.windowslive.com/campaign/...M_HMP:042010_3

On 27/07/2010 16:08, Malc wrote:
man sudoers

no passwords required

--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

On Jul 27, 4:18*pm, Clive Eisen <cl... (AT) serendipita (DOT) com> wrote:
alias with NOPASSWD set...
Hmm - looks like the call to 'savegrp' is made from within the legato
executable; experimentation is in order then!

On 27/07/2010 16:50, Malc wrote:

Well that means you will have to run legato sudo

As you still need to 'type' sudo savegrp
to make it happen even with sudoers

Other thoughts

1) suid
2) use sudoers and
binary edit the legato binary to get it to call say Savegrp
2a) where Legato is a script that execs sudo savegrp $@
or
2b) If your sysadmins don't like a script you can write a bit of C that
does the same

--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

On 27/07/2010 17:15, Clive Eisen wrote:
Put a script called savegrp EARLIER in your PATH that execs the real one
with sudo

That way you don't need to faf around editing legato
This will not work if the full path to savegrp is in legato





--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

Bugger me I think it works; just ran an onbar backup of a couple of
dbspaces as user informix and got no errors.

I added the following entries to the '/opt/sudo/etc/sudoers/sudoers' file:

User_Alias IMIX=informix,dba

(at the end of the existing user aliases)

And:

IMIX ALL=(ALL) NOPASSWD:/opt/informix/bin/onbar

IMIX ALL=(ALL) NOPASSWD:/opt/informix/bin/savegrp

(In the "user privilege specification' section)

So it looks like the call to savegrp is covered.
Thanks for your help, Clive, appreciated!