Discussion:
[Info-ingres] how can other user execute ingstart and ingstop
(too old to reply)
kathirvel
2006-11-29 05:17:53 UTC
Permalink
Hai All i am new to Ingres and i have one rpm when i install that rpm in a
normal user(other than root,ingres) and run a ingstart command it will
show the error like as follows

Ingres 2006/ingstart
Error while opening ingstart.log

Checking host "localhost.localdomain" for system resources required to run
Ingres 2006...

Your system has sufficient resources to run Ingres 2006.

Starting your Ingres 2006 installation...
Error while opening ingstart.log

Starting the Name Server...
Error while opening ingstart.log

Allocating shared memory for Logging and Locking Systems...
Error while opening ingstart.log
Could not create the system segment, does your kernel have enough
shared memory or has this program already been run?

Unable to allocate shared memory.

Error while opening ingstart.log
m***@ctsu.ox.ac.uk
2006-11-29 09:53:00 UTC
Permalink
Hi kathirvel,

Unless you are willing to put a lot of effort into this, the non ingres user
will not be able to start and stop ingres. There are lots of things under
the bonnet that may fry when you try.

Quite frankly in nearly 20 years of using Ingres, I've never been
tempted to do this. Why would you want anyone other than ingres to
start and stop the installation?

Martin Bowes
Post by kathirvel
Hai All i am new to Ingres and i have one rpm when i install that rpm
in a normal user(other than root,ingres) and run a ingstart command it
will show the error like as follows
Ingres 2006/ingstart
Error while opening ingstart.log
Checking host "localhost.localdomain" for system resources required to
run Ingres 2006...
Your system has sufficient resources to run Ingres 2006.
Starting your Ingres 2006 installation...
Error while opening ingstart.log
Starting the Name Server...
Error while opening ingstart.log
Allocating shared memory for Logging and Locking Systems...
Error while opening ingstart.log
Could not create the system segment, does your kernel have enough
shared memory or has this program already been run?
Unable to allocate shared memory.
Error while opening ingstart.log
_______________________________________________
Info-ingres mailing list
http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres
m***@ctsu.ox.ac.uk
2006-11-29 10:58:11 UTC
Permalink
Hi Sankar,
Thanks for reply.i got some ideas to do that is we have to add one
more line in
opt/share/ingres/file/config.dat file.In that it contains
hostname.privileges.user.MyUserName:SERVER_CONTROL,NET_ADMIN,MONTIOR,T
RUSTE D. is it right way to proced or not?.
The server_control privilege should allow you to start or stop a server.

But you may find other problems in the OS that will prevent this.

For example, I just tried and got...
Starting DBMS Server (default)...Error while opening ingstart.log

The ingstart.log has to go under $II_SYSTEM/ingres/files and hence, I
have to make that are writeable. Plus the file written by user x has to be
readable and writeable by other users with permission to do the
ingstart.

Furthermore, there are shared memory considerations that are scary.

As I said initially, why do you want to do this?

Marty
m***@ctsu.ox.ac.uk
2006-11-29 11:16:10 UTC
Permalink
Hi Sankar,
Thanks for cooperation and i really surprised about u suddenly doing
my commands and reply
it.
Don't be surprised. After everytime I've said that something can't be
done - someone ends up showing me how it can be done - and then I
get to look like an idiot.

These days I tend to test things first.

What u have faced the prblm same the thing i am also faced.if u
will have get any idea regarding this pls dont forget to send to me.
Hold on there cowboy. Even if something can be done - this does not
mean it should be done.

Marty
Duncan Hill
2006-11-29 11:18:12 UTC
Permalink
Post by m***@ctsu.ox.ac.uk
Hi Sankar,
Thanks for reply.i got some ideas to do that is we have to add one
more line in
opt/share/ingres/file/config.dat file.In that it contains
hostname.privileges.user.MyUserName:SERVER_CONTROL,NET_ADMIN,MONTIOR,T
RUSTE D. is it right way to proced or not?.
The server_control privilege should allow you to start or stop a server.
But you may find other problems in the OS that will prevent this.
For example, I just tried and got...
Starting DBMS Server (default)...Error while opening ingstart.log
On a Linux box, and probably quite a few other *nix ones, you could always use
sudo to grant rights non-ingres users to execute ingstart etc as ingres.
They would only have to know their password, and sudo limits the commands
available, so no (in theory) other actions as the ingres user would be
possible.
Wooton, Geoffrey (NESL-IT)
2006-11-29 11:47:43 UTC
Permalink
The venerable Paul Mason wrote our routines to allow some 3rd party to run
ingres commands.
Only ingstop and ingstart, but I guess you could open this up if you so
desired...

It was a c routine which changed the uid to root to allow a su to ingres
without a prompt for the password. The commands allowed were hardcoded in
the header file... and the routine did not exit into either root nor ingres
and proved very useful and safe to use.
The header file and compilations were controlled by the ingres user so was
controlled.

Clever Lad this Paul Mason fella...

Geoff

-----Original Message-----
From: info-ingres-***@cariboulake.com
[mailto:info-ingres-***@cariboulake.com]On Behalf Of Duncan Hill
Sent: Wednesday, November 29, 2006 10:55 AM
To: info-***@cariboulake.com
Subject: Re: [Info-ingres] how can other user execute ingstart and
ingstop
Post by m***@ctsu.ox.ac.uk
Hi Sankar,
Thanks for reply.i got some ideas to do that is we have to add one
more line in
opt/share/ingres/file/config.dat file.In that it contains
hostname.privileges.user.MyUserName:SERVER_CONTROL,NET_ADMIN,MONTIOR,T
RUSTE D. is it right way to proced or not?.
The server_control privilege should allow you to start or stop a server.
But you may find other problems in the OS that will prevent this.
For example, I just tried and got...
Starting DBMS Server (default)...Error while opening ingstart.log
On a Linux box, and probably quite a few other *nix ones, you could always
use
sudo to grant rights non-ingres users to execute ingstart etc as ingres.
They would only have to know their password, and sudo limits the commands
available, so no (in theory) other actions as the ingres user would be
possible.
_______________________________________________
Info-ingres mailing list
Info-***@cariboulake.com
http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres


**********************************************************************

The information contained in this e-mail is confidential and intended only
for the use of the addressee. If the reader of this message is not the
addressee, you are hereby notified that you have received this e-mail in
error and you must not copy, disseminate, distribute, use or take any action
as a result of the information contained in it.

If you have any queries, please contact the IT Service Desk on 1870
(01384-275454).

***@npower.com

**********************************************************************
Paul Mason
2006-11-29 12:32:20 UTC
Permalink
Post by Wooton, Geoffrey (NESL-IT)
The venerable Paul Mason wrote our routines to allow some 3rd party to run
ingres commands.
Actually it was just an adaptation of Gordon Crossman's unix runjob.
Post by Wooton, Geoffrey (NESL-IT)
Only ingstop and ingstart, but I guess you could open this up if you so
desired...
You could. If you search the google archives of this list for 1997 you
should find me asking about how to start ingres as a non-ingres user.
I eventually got it to work by changing permissions/ownership of a lot
of files after installing as ingres. It was ulgy though and I decided
not to do it that way.
Post by Wooton, Geoffrey (NESL-IT)
It was a c routine which changed the uid to root to allow a su to ingres
without a prompt for the password. The commands allowed were hardcoded in
the header file... and the routine did not exit into either root nor ingres
and proved very useful and safe to use.
I'm not sure how safe it was. I was always nervous about it. Gordy
admitted to me that it was a compromise between security and
practicality.
Post by Wooton, Geoffrey (NESL-IT)
The header file and compilations were controlled by the ingres user so was
controlled.
Clever Lad this Paul Mason fella...
Well that may or may not be true but in this instance it wasn't
cleverness it was being backed into a corner.

It was a project where we were contractually obliged to provide
hardware for the software house building the application. However a
separate development server had been removed from the budget. They'd
been given a small old server to do the actual code writing on but
they weren't able to do meaningful testing on it.

The decision was taken to allow them space on the production server. I
fought this and lost. We set up a separate ingres installation and
tried to ring-fence it as much as possible. However one thing that we
needed to do was allow them a way to re-start ingres as their
application tended to crash or hang it.

Now there was no way I was giving them the ingres password but I
already got called out enough for real problems, I didn't fancy adding
to that to just ingstop/ingstart - so we wrote a couple of programs
that would start/stop ingres only in their installation.

They worked but I was always nervous that if someone really tried
there was a security hole there to exploit.

So in short - it was something we did but not something I'd recommend.

--
Paul Mason

Loading...