Backup user

[cgswong]

Hi all,

Were are trying to implement a backup user who has access to all the file systems so he can do a full system backup the system. So far we have had little success as the user does not have access to all the systems so he can't do a system backup (root has to do it currently). We are using AIX 4.3 and backup/restore. Has anyone any ideas on how we could accomplish this? Any help is appreciated, thanks.

- Stuart

 

[ElgisRamon]

I recommend to use the [tt]sudo[/tt] package, with it you can specify the user has [tt]root[/tt] privileges but only for the [tt]backup/restore[/tt] commands!.

You can find [tt]sudo[/tt] at Bull: [tt]

http://www.bull.de/

[/tt]

I hope it works...

 

[shiraz]

hi
Yes! sudo is best solution under this scenerio;
however you can also implement restricted shell
for the user and restrict his access to few selected
commands( e.g savevg etc).

regds
Shiraz To Every Problem There is a solution...........

 

[cgswong]

Thanks I'll look into sudo, I didn't realize it ran on AIX as well.

Regards.

- Stuart

 

[cspilman]

Yes, sudo runs on AIX as well. I have been running sudo on ALL my AIX systems for a couple years now and lovin' it.

There is another site, if you want to take a look at, that goes into detail about the modifications made to make sudo run on AIX systems:

http://www.idsi.net/~bshma/chuck/vnc.html

Have fun!
Chuck

 

[cspilman]

Sorry... I copied the wrong bookmark... here it is:

http://www.stikman.com/sudo/sudo.html

Chuck

 

[nadim]

Why not setup a user which has similar privileges as root, but runs a menu when you login, and set a trap in the script so that people using the menu can't break out to the command line. I did this at my previous company, works wonders. !!!!!.

 

[cgswong]

Nadim,

Exactly how would I set up this backup user with similar privileges as root? Also, how would I set a trap in the script so they couldn't break out? If you have a sample script or something I could look at I would appreciate it. Thanks.

- Stuart

 

[nadim]

Lets assume you have a user id called - BACKUP

go into smit

smit user - change the 2nd field <USER ID> number to 0 (zero)

in your backup script

include the following -

trap &quot;&quot; 2

should work.

 

[cgswong]

I can't change the user id to '0'. I get a &quot;3004-692 error changing user id to '0'&quot; message. Since this is root's id I thought I would have some trouble. Is it possible to share root's id even if you specify shareable UID's?

Also, I assume the 'trap &quot;&quot; 2' traps CTRL-C so the backup user can't quit out to the command line. Is this so?

Regards.

- Stuart

 

[nadim]

1. Are you running AIX, if so what version ?.

2. Are you changing the user id through smit ?.

Yep, the TRAP &quot;&quot; 2 will prevent anyone from breaking out to the command line by pressing CTRL-C.

 

[nadim]

As drastic as it may seem,

just vi /etc/passwd and change the user id number to 0 (zero). After making the changes, login as backup and type whoami, it will say root, not backup.

Good luck.......

 

[cgswong]

I'm running AIX 4.3 and was using smit to do the change. Once I used 'vi' to change the UID to 0 (zero), it worked and when I log in as the backup user it does say logged in as root. Thanks for the help!

- Stuart