Running hcidbump under other users

[Greg Tataryn]

We are working on improving the security of our engine by having each user log into the terminal with their own user accounts. We are slowly uncovering items that do not work well or at all under these accounts. For example, hcidbdump gives an error message as shown below.

Code:

[0:_hcidbdump_] (-940) ‘RDM Embedded DB error: “SYSTEM/OS error: -940
file in use
C errno = 13: Permission denied”
‘
PANIC: assertion ‘(errnum > -900) || (errnum < -966)' failed at dberr.cpp/48

In addition to looking for a resolution to the above, if anyone has experience with setting up for users to log in under their own accounts and can share any other “got ya’s” or things we need to check it would be appreciated.[/code]

Topic

[Michael Hertel]

We log in under our own user accounts and then immediately su to hci.

[Mark Thompson]

We log into AIX user accounts.  Only sudo to the hci account when needed.  Sudo is better controlled than su from a security standpoint for a couple reasons:

– Access is from the user password – don’t need to give out the HCI password

– At least at our site, sudo triggers enhanced command logging at the unix level.

User accounts have access to most functionality based on shared group permissions.  We have set some executables (like hcienginerun, hcisitectl) set to permission 700 so only the hci account can perform these actions.

- Mark Thompson
HealthPartners

[Rob Lindsey]

Here we login via an SSH prompt to our own user accounts and then su – hci to the hci account.  

Each user has their own history commands and I have setup the hcidbdump command to use the -U command so that the engine won’t have an issue if a command line user does something a bit strange with the hcidbdump command.

[Author]

Replies