After installing as root, are there any options for running Unidata as a
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.
I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)
Thanks for any experiences, both positive and negative!
Ian
Run Unidata services as non-root user?
- Rocketeer
- 356 replies
After installing as root, are there any options for running Unidata as a
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.
I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)
Thanks for any experiences, both positive and negative!
Ian
less-privileged service account? I'm working with a customer that for
security reasons does not want the main unidata processes running as root,
and they're pointing out that Oracle, Apache HTTP, Postgres and many other
server-side services have the ability to run under non-user accounts.
I don't think it's possible, and haven't seen anything in the docs (though
there is a hint that it's possible for UV, running as a user uvadm,
https://rbc.rocketsoftware.com/downloads/readme/UV-11.3.3.pdf?16:05)
Thanks for any experiences, both positive and negative!
Ian
UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.
For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.
One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.
Regards,
------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------
Ian,
UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.
For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.
One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.
Regards,
------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------
UniData currently does not have a 'udadm' user in the same way UniVerse has 'uvadm' to perform some of those tasks. UniVerse itself was changed for this to happen. There is an outstanding request for this to happen in UniData. In order for this to happen there are quite a few changes that have to happen to the way some of the critical UniData memory structures are created and maintained. So for now UniData will have to be started and maintained as root.
For UniData on Windows you can specify a group that a user can belong to and this will bypass the internal UniData 'IsAdmin' check, however you will still run into problem when that user requires 'Admin' privileges on some of the internal structures. On Windows we also allow you to start the UniData services as Network Service Account as well.
One method that I have seen a few customers use on UNIX systems is to have a sudo root user but control the commands that user can use and get all the key UniData admin commands added to it. In most cases this satisfies any audit or control requirements.
Regards,
------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------
it's on the road map. Many customers I work with are becoming more
security conscious (though not all, by far!), so this is one of those
checklist items for new projects. It had zero impact on the user
experience, so can see why it's not a high priority.
Thanks again,
Ian
Sign up
Already have an account? Login
Welcome to the Rocket Forum!
Please log in or register:
Employee Login | Registration Member Login | RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
