Rocket U2 | UniVerse & UniData

 View Only
  • 1.  Run Unidata services as non-root user?

    Posted 13 days ago
    After installing as root, are there any options for running Unidata as a
    less-privileged service account? I'm working with a customer that for
    security reasons does not want the main unidata processes running as root,
    and they're pointing out that Oracle, Apache HTTP, Postgres and many other
    server-side services have the ability to run under non-user accounts.

    I don't think it's possible, and haven't seen anything in the docs (though
    there is a hint that it's possible for UV, running as a user uvadm,
    https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)

    Thanks for any experiences, both positive and negative!
    Ian


  • 2.  RE: Run Unidata services as non-root user?

    ROCKETEER
    Posted 13 days ago
    Ian,

    UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.

    For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.

    One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.

    Regards,



    ------------------------------
    Jonathan Smith
    UniData ATS
    Rocket Support
    ------------------------------



  • 3.  RE: Run Unidata services as non-root user?

    Posted 13 days ago
    Jonathan, thanks for responding so quickly. It's too bad, but sounds like
    it's on the road map. Many customers I work with are becoming more
    security conscious (though not all, by far!), so this is one of those
    checklist items for new projects. It had zero impact on the user
    experience, so can see why it's not a high priority.

    Thanks again,
    Ian