If you installed Network Manager as a non-root user, and
you want to run Network Manager
while logged on as the non-root user who installed the product, or another user in the same group,
then you must run the script setup_run_as_setuid_root.sh
. The
processes that must be run as root have their setuid
permission changed so that
they run as root even when started by a non-root user. This procedure has security implications and
must not be done on a server that untrusted users can log in to.
If you can not run binary files with a UID of root for security reasons, run the
setup_run_as_capabilities.sh
script instead, on Linux platforms only.
Note: For this script to work correctly, you must be logged on as root when you run it.
Due to the way this script makes certain shared libraries into trusted libraries, only one
installation per server can be set up to be run by a non-root user. If you have multiple
installations of Network Manager
on the same server, you must run all of them as root.
Running the script
To run the script, use a command line similar to the
following
example.
$NCHOME/precision/scripts/setup_run_as_setuid_root.sh
Command line options
This script has no command line options.
Files and directories which are made setuid root
The following section provides information about the files and directories whose security
settings are changed when ITNM is installed as a non-root user.
- x86 Linux
- On
x86 Linux
, the following binaries are made setuid root:
-
Binary |
Reason to make setuid root |
$NCHOME/precision/scripts/webtools/bin/ fping |
3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping) Note: This
tool requires 32-bit compatibility libraries.
|
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute |
3rd party tool, required to open raw socket Note: This tool requires 32-bit compatibility
libraries.
|
$NCHOME/omnibus/probes/linux2x86/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
$NCHOME/omnibus/platform/linux2x86/probes64/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
The following binaries in
$NCHOME/precision/platform/linux2x86/bin
are made
setuid root:
Binary |
Reason to make setuid root |
ncp_df_ping |
Root required to open raw socket for ping |
ncp_dh_arp |
Root required to open low port |
ncp_dh_ping |
Root required to open raw socket for ping |
ncp_trapmux |
Root required to open low port |
ncp_poller |
Root required to open raw socket for ping |
The following directories are made trusted, so that setuid binaries can search them:
- $NCHOME/precision/platform/linux2x86/lib64
- $NCHOME/omnibus/platform/linux2x86/lib64
- $NCHOME/platform/linux2x86/lib64
- $NCHOME/precision/platform/linux2x86/oracle_instant_client-11.2.0.4
- $NCHOME/precision/platform/linux2x86/oracle_instant_client-12.1.0.2.0
- $NCHOME/precision/jre/bin
- $NCHOME/precision/jre/bin/j9vm
- $NCHOME/precision/jre/lib/amd64
- $NCHOME/precision/platform/linux2x86/db2-10.5.0.5/odbc_cli/clidriver/lib
- zLinux
- On
zLinux
, the following binaries are made setuid root:
-
Binary |
Reason to make setuid root |
$NCHOME/precision/scripts/webtools/bin/ fping |
3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping) Note: This
tool requires 32-bit compatibility libraries.
|
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute |
3rd party tool, required to open raw socket Note: This tool requires 32-bit compatibility
libraries.
|
$NCHOME/omnibus/probes/linux2s390/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
$NCHOME/omnibus/platform/linux2s390/probes64/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
The following binaries in
$NCHOME/precision/platform/linux2s390/bin
are made
setuid root:
Binary |
Reason to make setuid root |
ncp_df_ping |
Root required to open raw socket for ping |
ncp_dh_arp |
Root required to open low port |
ncp_dh_ping |
Root required to open raw socket for ping |
ncp_trapmux |
Root required to open low port |
ncp_poller |
Root required to open raw socket for ping |
The following directories are made trusted, so that setuid binaries can search them:
- $NCHOME/precision/platform/linux2s390/lib64e
- $NCHOME/omnibus/platform/linux2s390/lib64
- $NCHOME/platform/linux2s390/lib64
- $NCHOME/precision/platform/linux2s390/oracle_instant_client-11.2.0.4
- $NCHOME/precision/platform/linux2s390/oracle_instant_client-12.1.0.2.0
- $NCHOME/precision/jre/bin
- $NCHOME/precision/jre/bin/j9vm
- $NCHOME/precision/jre/lib/s390
- $NCHOME/precision/platform/linux2s390/db2-10.5.0.5/odbc_cli/clidriver/lib
- AIX
- On
AIX
, the following binaries are made setuid root:
-
Binary |
Reason to make setuid root |
$NCHOME/precision/scripts/webtools/bin/ fping |
3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping) Note: This
tool requires 32-bit compatibility libraries.
|
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute |
3rd party tool, required to open raw socket Note: This tool requires 32-bit compatibility
libraries.
|
$NCHOME/omnibus/probes/aix5/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
$NCHOME/omnibus/platform/aix5/probes64/ nco_p_mttrapd |
SNMP Trap probe, needs to bind to port less than 1024 |
The following binaries in
$NCHOME/precision/platform/$arch/bin
are made setuid root:
Binary |
Reason to make setuid root |
ncp_df_ping |
Root required to open raw socket for ping |
ncp_dh_arp |
Root required to open low port |
ncp_dh_ping |
Root required to open raw socket for ping |
ncp_trapmux |
Root required to open low port |
ncp_poller |
Root required to open raw socket for ping |
The following libraries are made trusted, so that setuid binaries can use them. This is done by
creating symbolic links to them from /usr/lib
.
These following libraries in
$NCHOME/precision/platform/aix5/lib64/
are made
trusted:
- libDiscoCommon.so
- libDiscoFinders.so
- libDiscoHelper.so
- libNCPBase.so
- libNCPComms.so
- libNCPMOM.so
- libNCPPort.so
- libNCPVersion.so
- libVertigo.so
- libNCPCrypt.so
- libncryptcpp.so
The libncrypt.so
library in $NCHOME/platform/aix5/lib64/
is
made trusted.