search cancel

Remove root use in Dollar Universe uxdqmlan from a node

book

Article ID: 239519

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

A Dollar Universe Node was installed on a Linux/Unix server using the root account but with a service account as administrator for Dollar Universe.

Recently, we had a new security standardization to limit the usage of root user.

We have checked and all Dollar Universe job submission are using root (i.e. if we specify the submission account as a service account, Dollar Universe still switch user to that submission account from root, and this was flagged out as non-compliance).

Can we tell us if there is a way to change the job submission account to another user (not root) or to update the existing root installation to non-root installation for the Dollar Universe node? 

Cause

By default, in privileged user installation (root) the binary uxdqmlan belongs to root and the setuid is enabled to allow submitting jobs as any system user.

Environment

Release : 6.x

Component : DOLLAR UNIVERSE

OS: Unix/Linux

Resolution

It is possible to move from a privileged installation of a Dollar Universe Node to a  non-privileged user installation (non root).
Be aware that this can only be done if you only have one system user where all Jobs are submitted and is the same that is used in ALL Submission Accounts defined on the Node.

To do so, login as root and:

  1. Login as root and  then load the Dollar Universe environment:
    source /path_to_dollar_universe_node/unienv.ksh
  2. Stop the node:
    $UNI_DIR_EXEC/unistop
  3. Assign the node to the service account:
    $UNI_DIR_EXEC/uxrights -m assign -a your_service_account_name
  4. Remove the root permissions from uxdqmlan so that the jobs can only be submitted by the administrator (your_service_account_name):
    $UNI_DIR_EXEC/uxrights -m restrict
  5. Start the node:
    $UNI_DIR_EXEC/unistart

  6. Modify the permission of the installation folders as well as indicated here:
    chmod -R your_service_account_name:your_service_account_group  /var/opt/ORSYP/.Installer
  7. Please be in mind that you will have to repeat the step 4 ($UNI_DIR_EXEC/uxrights -m restrict) every time you perform the Upgrade of the node to a newer version.