setup_run_as_setuid_root.sh

If you installed Network Manager as a non-root user, and you want to run Network Manager while logged on as the non-root user who installed the product, or another user in the same group, then you must run the script setup_run_as_setuid_root.sh. The processes that must be run as root have their setuid permission changed so that they run as root even when started by a non-root user. This procedure has security implications and must not be done on a server that untrusted users can log in to.

If you can not run binary files with a UID of root for security reasons, run the setup_run_as_capabilities.sh script instead, on Linux platforms only.

Note: For this script to work correctly, you must be logged on as root when you run it.

Due to the way this script makes certain shared libraries into trusted libraries, only one installation per server can be set up to be run by a non-root user. If you have multiple installations of Network Manager on the same server, you must run all of them as root.

Running the script

To run the script, use a command line similar to the following example.
$NCHOME/precision/scripts/setup_run_as_setuid_root.sh

Command line options

This script has no command line options.

Files and directories which are made setuid root

The following section provides information about the files and directories whose security settings are changed when ITNM is installed as a non-root user.

x86 Linux
On x86 Linux, the following binaries are made setuid root:
Binary Reason to make setuid root
$NCHOME/precision/scripts/webtools/bin/ fping 3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping)
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute 3rd party tool, required to open raw socket
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/omnibus/probes/linux2x86/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
$NCHOME/omnibus/platform/linux2x86/probes64/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
The following binaries in $NCHOME/precision/platform/linux2x86/bin are made setuid root:
Binary Reason to make setuid root
ncp_df_ping Root required to open raw socket for ping
ncp_dh_arp Root required to open low port
ncp_dh_ping Root required to open raw socket for ping
ncp_trapmux Root required to open low port
ncp_poller Root required to open raw socket for ping
The following directories are made trusted, so that setuid binaries can search them:
  • $NCHOME/precision/platform/linux2x86/lib64
  • $NCHOME/omnibus/platform/linux2x86/lib64
  • $NCHOME/platform/linux2x86/lib64
  • $NCHOME/precision/platform/linux2x86/oracle_instant_client-11.2.0.4
  • $NCHOME/precision/platform/linux2x86/oracle_instant_client-12.1.0.2.0
  • $NCHOME/precision/jre/bin
  • $NCHOME/precision/jre/bin/j9vm
  • $NCHOME/precision/jre/lib/amd64
  • $NCHOME/precision/platform/linux2x86/db2-10.5.0.5/odbc_cli/clidriver/lib
zLinux
On zLinux, the following binaries are made setuid root:
Binary Reason to make setuid root
$NCHOME/precision/scripts/webtools/bin/ fping 3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping)
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute 3rd party tool, required to open raw socket
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/omnibus/probes/linux2s390/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
$NCHOME/omnibus/platform/linux2s390/probes64/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
The following binaries in $NCHOME/precision/platform/linux2s390/bin are made setuid root:
Binary Reason to make setuid root
ncp_df_ping Root required to open raw socket for ping
ncp_dh_arp Root required to open low port
ncp_dh_ping Root required to open raw socket for ping
ncp_trapmux Root required to open low port
ncp_poller Root required to open raw socket for ping
The following directories are made trusted, so that setuid binaries can search them:
  • $NCHOME/precision/platform/linux2s390/lib64e
  • $NCHOME/omnibus/platform/linux2s390/lib64
  • $NCHOME/platform/linux2s390/lib64
  • $NCHOME/precision/platform/linux2s390/oracle_instant_client-11.2.0.4
  • $NCHOME/precision/platform/linux2s390/oracle_instant_client-12.1.0.2.0
  • $NCHOME/precision/jre/bin
  • $NCHOME/precision/jre/bin/j9vm
  • $NCHOME/precision/jre/lib/s390
  • $NCHOME/precision/platform/linux2s390/db2-10.5.0.5/odbc_cli/clidriver/lib
AIX
On AIX, the following binaries are made setuid root:
Binary Reason to make setuid root
$NCHOME/precision/scripts/webtools/bin/ fping 3rd party tool, required to open raw socket (https://linux.die.net/man/8/fping)
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/precision/scripts/webtools/bin/ nanogtraceroute 3rd party tool, required to open raw socket
Note: This tool requires 32-bit compatibility libraries.
$NCHOME/omnibus/probes/aix5/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
$NCHOME/omnibus/platform/aix5/probes64/ nco_p_mttrapd SNMP Trap probe, needs to bind to port less than 1024
The following binaries in $NCHOME/precision/platform/$arch/bin are made setuid root:
Binary Reason to make setuid root
ncp_df_ping Root required to open raw socket for ping
ncp_dh_arp Root required to open low port
ncp_dh_ping Root required to open raw socket for ping
ncp_trapmux Root required to open low port
ncp_poller Root required to open raw socket for ping

The following libraries are made trusted, so that setuid binaries can use them. This is done by creating symbolic links to them from /usr/lib.

These following libraries in $NCHOME/precision/platform/aix5/lib64/ are made trusted:
  • libDiscoCommon.so
  • libDiscoFinders.so
  • libDiscoHelper.so
  • libNCPBase.so
  • libNCPComms.so
  • libNCPMOM.so
  • libNCPPort.so
  • libNCPVersion.so
  • libVertigo.so
  • libNCPCrypt.so
  • libncryptcpp.so

The libncrypt.so library in $NCHOME/platform/aix5/lib64/ is made trusted.