Rocket U2 | UniVerse & UniData

After installing as root, are there any options for running Unidata as a
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.

I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)

Thanks for any experiences, both positive and negative!
Ian

Ian,

UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.

For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.

One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.

Regards,



------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------

Original Message:
Sent: 08-03-2022 04:15
From: Ian McGowan
Subject: Run Unidata services as non-root user?

After installing as root, are there any options for running Unidata as a
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.

I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)

Thanks for any experiences, both positive and negative!
Ian

Jonathan, thanks for responding so quickly. It's too bad, but sounds like
it's on the road map. Many customers I work with are becoming more
security conscious (though not all, by far!), so this is one of those
checklist items for new projects. It had zero impact on the user
experience, so can see why it's not a high priority.

Thanks again,
Ian


Original Message:
Sent: 8/3/2022 5:08:00 AM
From: Jonathan Smith
Subject: RE: Run Unidata services as non-root user?

Ian,

UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.

For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.

One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.

Regards,



------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------

Original Message:
Sent: 08-03-2022 04:15
From: Ian McGowan
Subject: Run Unidata services as non-root user?

After installing as root, are there any options for running Unidata as a
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.

I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)

Thanks for any experiences, both positive and negative!
Ian