Getting Permission denied in Linux agent


Hi,

I have created a rule in the Command control. The pseudocode for the
same is:


Begin Rule: Passwd Rule
If ((user IN Password Group) AND (command IN Password cmd))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop
End If
End Rule: Passwd Rule


In my Password Group i have the following users:
netiq
net

Now when i login into my linux machine, and login with the user "netiq"
using the following command:

su netiq;

Then i execute my command passwd as follows:

>usrun passwd;


i am getting the following error:

/usr/bin/usrun[39]:Permission denied

Also, i have created many rules, and when executing any of them , i am
getting the same "Permission denied" error.

Please help.


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943


  • yogesh09021983;12420 Wrote:
    > Hi,
    >
    > I have created a rule in the Command control. The pseudocode for the
    > same is:
    >
    >
    > Begin Rule: Passwd Rule
    > If ((user IN Password Group) AND (command IN Password cmd))
    > Then
    > Set Authorize: yes
    > Set Session Capture: yes
    > Set runUser = "root"
    > Stop
    > End If
    > End Rule: Passwd Rule
    >
    >
    > In my Password Group i have the following users:
    > netiq
    > net
    >
    > Now when i login into my linux machine, and login with the user "netiq"
    > using the following command:
    >
    > su netiq;
    >
    > Then i execute my command passwd as follows:
    >
    > >usrun passwd;

    >
    > i am getting the following error:
    >
    > /usr/bin/usrun[39]:Permission denied
    >
    > Also, i have created many rules, and when executing any of them , i am
    > getting the same "Permission denied" error.
    >
    > Please help.
    >
    > I am using the following linux version:
    >
    > CentOS release 5.7 (Final)



    --
    yogesh09021983
    ------------------------------------------------------------------------
    yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
    View this thread: https://forums.netiq.com/showthread.php?t=2943

  • -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Can you create any rule and have it work? Does this rule work in other
    environments? I do not have an NPUM system nearby for testing but I
    would start by narrowing down the rule to make it simple and functional,
    then add bits until it breaks.

    Good luck.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.19 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

    iQIcBAEBAgAGBQJQSIT2AAoJEF XTK08PnB5qA0QAIwV/tp5EWu7vF2dgSExuovS
    1fySyQNU8qgRLtIZRifo3XX3p6b2VcbLeaVr JX56vCz9l9ZT96CasnCzC9RqbS1
    QaVFWFCN8WM0T7Y1za2LLoqKWnroXjnSVOeGEeMm5EMIkWmZO3XsYBPON6Rwhkdv
    BeGZ0eyORtvu9UkU4oECL0tjOt cJnLk6P141V58GckElma6xFV5kEzt7JZL6SMu
    rfuksa zIgpf EJMoD xTPGTsvfR2VnvqrtmjrdgprasUYRDB4nENqIH2upT4mtA
    ukWbW2AkBfVaIM4esCKVI3Jq93yP X3GNFkM8ugACJrSHybWg44CtFV0xyEVMKPA
    wLhG60Ub2VXtW0Cg1ccmBlXrQ4QgLz8lcq8zMHxeb1mjmbCwqDW4fsNgOUKejI4l
    a3FedutCuscnviG81o6YTW3znz5lHx/s0kAkfmpSYt0CrTWEVlrR2BMUKpjFQVv2
    vqq3CskqZHVHSNXC7VZClA89IO6Nwkv2OLr/ueY4UOSomZreHmcGF0ojpcEPPlMO
    2mXk4Zn6OkZceMlb9CYiYqnQK9qt6rlXMy3ZyM7Vd2zXLl5nt1QLqm6vZ1aSaNHu
    VroJK61h323Dxq Yrq0Ju/Noft LCkRD5i3rPjOv5F/XRbhYuYEwvX3FRd2eT2Ij
    uxD I1Cz0HmJvse563re
    =UucQ
    -----END PGP SIGNATURE-----

  • ab;12503 Wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Can you create any rule and have it work? Does this rule work in
    > other
    > environments? I do not have an NPUM system nearby for testing but I
    > would start by narrowing down the rule to make it simple and
    > functional,
    > then add bits until it breaks.
    >
    > Good luck.
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v2.0.19 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
    >
    > iQIcBAEBAgAGBQJQSIT2AAoJEF XTK08PnB5qA0QAIwV/tp5EWu7vF2dgSExuovS
    > 1fySyQNU8qgRLtIZRifo3XX3p6b2VcbLeaVr JX56vCz9l9ZT96CasnCzC9RqbS1
    > QaVFWFCN8WM0T7Y1za2LLoqKWnroXjnSVOeGEeMm5EMIkWmZO3XsYBPON6Rwhkdv
    > BeGZ0eyORtvu9UkU4oECL0tjOt cJnLk6P141V58GckElma6xFV5kEzt7JZL6SMu
    > rfuksa zIgpf EJMoD xTPGTsvfR2VnvqrtmjrdgprasUYRDB4nENqIH2upT4mtA
    > ukWbW2AkBfVaIM4esCKVI3Jq93yP X3GNFkM8ugACJrSHybWg44CtFV0xyEVMKPA
    > wLhG60Ub2VXtW0Cg1ccmBlXrQ4QgLz8lcq8zMHxeb1mjmbCwqDW4fsNgOUKejI4l
    > a3FedutCuscnviG81o6YTW3znz5lHx/s0kAkfmpSYt0CrTWEVlrR2BMUKpjFQVv2
    > vqq3CskqZHVHSNXC7VZClA89IO6Nwkv2OLr/ueY4UOSomZreHmcGF0ojpcEPPlMO
    > 2mXk4Zn6OkZceMlb9CYiYqnQK9qt6rlXMy3ZyM7Vd2zXLl5nt1QLqm6vZ1aSaNHu
    > VroJK61h323Dxq Yrq0Ju/Noft LCkRD5i3rPjOv5F/XRbhYuYEwvX3FRd2eT2Ij
    > uxD I1Cz0HmJvse563re
    > =UucQ
    > -----END PGP SIGNATURE-----


    Hi,

    I have created many rule, but none of them is working. I have one linux
    machine (having Cent OS) on which i have installed the PUM agent, and i
    am executing my commands on the same machine.

    Also in the reports,the commands for the user are coming to be not
    authorised.

    Regards,


    --
    yogesh09021983
    ------------------------------------------------------------------------
    yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
    View this thread: https://forums.netiq.com/showthread.php?t=2943


  • Yogesh,

    With Command Control rules, we start at the top of the ruleset and run
    down through them until we match and/or are told to what do to. For
    example the options given when creating a rule are 'authorize, return,
    stop if authorized, stop if unauthorized'. In your example you said to
    "stop". Meaning if this is the first rule in your ruleset, nothing will
    EVER continue past this rule as you've told Command Control to never
    continue past this rule. We start at the top and head down the 'rule
    tree" until we are told what to do.

    Your example,

    Begin Rule: Passwd Rule
    If ((user IN Password Group) AND (command IN Password cmd))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Set runUser = "root"
    STOP
    End If
    End Rule: Passwd Rule

    Typically I'd choose the option of "stop if authorized" (instead of
    Stop). That way if we match on this rule, we authorize the rule, allow
    the command to run and stop searching through the rules for a match. If
    we don't match, then it allows the submitted command to run down through
    the rest of the rules you have created in an attempt to match.

    Looking over your passwd rule I'm not sure it's going to do what you
    think it will.

    If you typed 'usrun passwd' it's going match on your rule, run the
    command as root and attempt to change root's password (which would be
    the same as logging in as root and then typing passwd.

    With that being said, with a few changes I think you can have it do
    what you are wanting to do.

    I created a rule that allows you to run 'usrun passwd <user>'

    #without npum
    yogesh@host1:~> passwd jim
    You cannot change the shadow data for `jim'.

    #with pum - using the rules below
    yogesh@host1:~> usrun passwd jim
    Changing password for jim.
    New Password:
    Reenter New Password:
    Password changed.


    I've created a very simple rule set that you can import and play with.
    Please do the following: Framework GUI | Command Control | from the
    left nav, select Backup and Restore. Type in a name for your backup and
    then click 'Backup. (this will backup your existing rules).

    Next from the Command Control console, from the left nav, select
    'Import Settings', then copy and paste the below export. The export
    includes a single rule that allows the user 'yogesh' that is part of
    the "Password Group" to run the passwd command as root.

    <Records>
    <CCTree I.id="205">
    <CCTree I.id="0">
    <Rule I.id="1">
    <a.Rule I.key="4314" I.id="205"/>
    </Rule>
    <AccountGroup I.id="2"/>
    <UserGroup I.id="3">
    <a.UserGroup I.id="102" I.key="1"/>
    <a.UserGroup I.id="103" I.key="2"/>
    <a.UserGroup I.key="2396" I.id="203"/>
    </UserGroup>
    <HostGroup I.id="4">
    <a.HostGroup I.id="104" I.key="1"/>
    <a.HostGroup I.id="105" I.key="2"/>
    </HostGroup>
    <Command I.id="5">
    <a.Command I.key="2595" I.id="204"/>
    </Command>
    <Script I.id="6"/>
    <Tme I.id="7"/>
    <RuleTemplate I.id="8"/>
    <Report I.id="9"/>
    </CCTree>
    </CCTree>
    <Rule I.ref="1" I.type="0" name="Passwd Rule" I.disabled="0"
    I.id="4314">
    <Rule I.type="0" I.key="4314" I.disabled="0" name="Passwd Rule">
    <Match>
    <a.Logic I.key="2396" value="AND" type="UserGroup">
    <UserGroup I.value="2396" user="Passwd.username"/>
    </a.Logic>
    <a.Logic I.key="2595" value="AND" type="Command">
    <Command I.value="2595" cmd="Command.cmd"/>
    </a.Logic>
    </Match>
    <Metadata>
    <Exec runAs="root"/>
    <SessionCapture value="yes"/>
    <Authorized value="yes"/>
    </Metadata>
    <Disabled/>
    <Description value=""/>
    <Stop I.value="-3"/>
    </Rule>
    </Rule>
    <UserGroup I.type="0" name="Everyone" I.disabled="0" I.id="1">
    <UserGroup I.id="1" name="Everyone">
    <Disabled i.value="0"/>
    <Description value="All users"/>
    <UserList>
    <a.User value="*"/>
    </UserList>
    </UserGroup>
    </UserGroup>
    <UserGroup I.type="0" name="Submit User" I.disabled="0" I.id="2">
    <UserGroup I.id="2" name="Submit User">
    <Disabled i.value="0"/>
    <Description value="Submit User"/>
    <UserList>
    <a.User value="-"/>
    </UserList>
    </UserGroup>
    </UserGroup>
    <UserGroup I.type="0" name="Password Group" I.disabled="0"
    I.id="2396">
    <UserGroup I.type="0" name="Password Group" I.key="2396">
    <Disabled b.value="0"/>
    <RunUsers b.value="1"/>
    <SubmitUsers b.value="1"/>
    <Description value=""/>
    <MgrName value=""/>
    <MgrTel value=""/>
    <MgrEmail value=""/>
    <External b.value="0"/>
    <UserList>
    <a.User value="yogesh"/>
    </UserList>
    </UserGroup>
    </UserGroup>
    <HostGroup I.type="0" name="All Hosts" I.disabled="0" I.id="1">
    <HostGroup I.id="1" name="All Hosts">
    <Disabled i.value="0"/>
    <Description value="All hosts"/>
    <HostList>
    <a.Host value="*"/>
    </HostList>
    </HostGroup>
    </HostGroup>
    <HostGroup I.type="0" name="Submit Host" I.disabled="0" I.id="2">
    <HostGroup I.id="2" name="Submit Host">
    <Disabled i.value="0"/>
    <Description value="Submit Host"/>
    <HostList>
    <a.Host value="-"/>
    </HostList>
    </HostGroup>
    </HostGroup>
    <Command I.type="0" name="Password cmd" I.disabled="0" I.id="2595">
    <Command name="Password cmd" I.key="2595">
    <Disabled b.value="0"/>
    <Description value=""/>
    <NewCmd value="/usr/bin/passwd $*"/>
    <CmdList>
    <a.Cmd value="=~#^(|/usr/bin/)passwd(\\s |$)#"/>
    </CmdList>
    </Command>
    </Command>
    <TestSuite I.type="0" name="Passwd" I.id="3713">
    <TestSuite I.type="0">
    <Description value=""/>
    <a.TestCase>
    <expected>
    <Command cmd="/usr/bin/passwd jim"/>
    <Authorized value="yes"/>
    <SessionCapture value="yes"/>
    <Exec runAs="root"/>
    </expected>
    <metadata>
    <Logon/>
    <Exec runAs="root"/>
    <Command cmd="/usr/bin/passwd jim"/>
    <Passwd username="yogesh"/>
    </metadata>
    </a.TestCase>
    <a.TestCase>
    <expected>
    <Command cmd="/usr/bin/passwd jim"/>
    <Authorized value="yes"/>
    <SessionCapture value="yes"/>
    <Exec runAs="root"/>
    </expected>
    <metadata>
    <Logon/>
    <Exec runAs="root"/>
    <Command cmd="passwd jim"/>
    <Passwd username="yogesh"/>
    </metadata>
    </a.TestCase>
    <a.TestCase>
    <expected>
    <Authorized value="no"/>
    <Exec runAs="root"/>
    </expected>
    <metadata>
    <Logon/>
    <Exec runAs="root"/>
    <Command cmd="passwd jim"/>
    <Passwd username="deni"/>
    </metadata>
    </a.TestCase>
    </TestSuite>
    </TestSuite>
    </Records>





    I've also created a test suite that can be used to validate your rules.
    In this case I created 3 test cases. See the documentation for more
    info on the test suite.

    However here is how you access and use it Home | Command Control |
    from left nav, Test Suites |

    There is one Test Suite called 'Passwd' which contains 3 test cases.
    These test cases are run against the current rules to see if they match.
    All three should run, however the 3rd test case should not authorize,
    because the submit user 'Deni' is not part of the "Password Group". The
    test will say it succeed, however it's because I said I expected the
    'Deni' test case to fail. The Test suite is a great way to validate the
    rules you are creating and allows you to test them and validate they are
    matching the rule you think they should be.

    Good Luck,

    Brett






    yogesh09021983;12561 Wrote:
    > Hi,
    >
    > I have created many rule, but none of them is working. I have one linux
    > machine (having Cent OS) on which i have installed the PUM agent, and i
    > am executing my commands on the same machine.
    >
    > Also in the reports,the commands for the user are coming to be not
    > authorised.
    >
    > Regards,



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=2943


  • Hey Brett,

    Thanks a lot for your efforts. I have tried the commands as you told
    and they now works fine.

    Now the only problem is, my command control reports are not getting
    refreshed. The following error is coming in the unifid.logs file:

    Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    SSL connection from 192.168.200.28

    ( I have installed my framework manager on 192.168.200.28. Could this
    be the problem for logs not refreshing.)

    Regards,
    Yogesh


    --
    yogesh09021983
    ------------------------------------------------------------------------
    yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
    View this thread: https://forums.netiq.com/showthread.php?t=2943


  • Hey Brett,

    Thanks a lot for your efforts. I have tried the commands as you told
    and they now works fine.

    Now the only problem is, my command control reports are not getting
    refreshed. The following error is coming in the unifid.logs file:

    Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    SSL connection from 192.168.200.28

    ( I have installed my framework manager on 192.168.200.28. Could this
    be the problem for logs not refreshing.)

    The contents of my log file are as follows:

    Tue Jul 17 12:14:13 2012, 273, 716, 1452, Info, secaudit replMembers
    client:localhost rc:0 status:0 (16ms)
    Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, strfwd replMembers
    client:localhost rc:0 status:0 (0ms)
    Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, syslogemit replMembers
    client:localhost rc:0 status:0 (0ms)
    Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, registry svcRegister
    client:win2k3en-2a6o5d rc:0 status:0(win2k3en-2a6o5d) (172ms)
    Tue Jul 17 12:14:13 2012, 289, 488, 1452, Info, Registration successful
    for win2k3en-2a6o5d to win2k3en-2a6o5d:29120
    Tue Jul 17 12:17:44 2012, 617, 2584, 1452, Info, https GET /
    client:192.168.200.28 rc:0 status:200(OK) (63ms)
    Tue Jul 17 12:17:44 2012, 679, 2584, 1452, Info, https GET
    /LoadFlash.js client:192.168.200.28 rc:0 status:200(OK) (15ms)
    Tue Jul 17 12:17:44 2012, 789, 2696, 1452, Info, https GET /fitFlash.js
    client:192.168.200.28 rc:0 status:200(OK) (0ms)
    Tue Jul 17 12:17:44 2012, 789, 2740, 1452, Info, https GET /Help.js
    client:192.168.200.28 rc:0 status:200(OK) (0ms)
    Tue Jul 17 12:17:49 2012, 226, 2740, 1452, Info, https GET /favicon.ico
    client:192.168.200.28 rc:0 status:404(Not Found) (16ms)
    Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    SSL connection from 192.168.200.28


    Regards,
    Yogesh


    --
    yogesh09021983
    ------------------------------------------------------------------------
    yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
    View this thread: https://forums.netiq.com/showthread.php?t=2943


  • Yogesh,

    What do you mean that your 'command control reports are not getting
    refreshed'?

    Are you stating that your authorized sessions and keystrokes are not
    showing up in Reporting?

    - Brett


    yogesh09021983;13023 Wrote:
    > Hey Brett,
    >
    > Thanks a lot for your efforts. I have tried the commands as you told
    > and they now works fine.
    >
    > Now the only problem is, my command control reports are not getting
    > refreshed. The following error is coming in the unifid.logs file:
    >
    > Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    > SSL connection from 192.168.200.28
    >
    > ( I have installed my framework manager on 192.168.200.28. Could this
    > be the problem for logs not refreshing.)
    >
    > The contents of my log file are as follows:
    >
    > Tue Jul 17 12:14:13 2012, 273, 716, 1452, Info, secaudit replMembers
    > client:localhost rc:0 status:0 (16ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, strfwd replMembers
    > client:localhost rc:0 status:0 (0ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, syslogemit replMembers
    > client:localhost rc:0 status:0 (0ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, registry svcRegister
    > client:win2k3en-2a6o5d rc:0 status:0(win2k3en-2a6o5d) (172ms)
    > Tue Jul 17 12:14:13 2012, 289, 488, 1452, Info, Registration successful
    > for win2k3en-2a6o5d to win2k3en-2a6o5d:29120
    > Tue Jul 17 12:17:44 2012, 617, 2584, 1452, Info, https GET /
    > client:192.168.200.28 rc:0 status:200(OK) (63ms)
    > Tue Jul 17 12:17:44 2012, 679, 2584, 1452, Info, https GET
    > /LoadFlash.js client:192.168.200.28 rc:0 status:200(OK) (15ms)
    > Tue Jul 17 12:17:44 2012, 789, 2696, 1452, Info, https GET /fitFlash.js
    > client:192.168.200.28 rc:0 status:200(OK) (0ms)
    > Tue Jul 17 12:17:44 2012, 789, 2740, 1452, Info, https GET /Help.js
    > client:192.168.200.28 rc:0 status:200(OK) (0ms)
    > Tue Jul 17 12:17:49 2012, 226, 2740, 1452, Info, https GET /favicon.ico
    > client:192.168.200.28 rc:0 status:404(Not Found) (16ms)
    > Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    > SSL connection from 192.168.200.28
    >
    >
    > Regards,
    > Yogesh



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=2943


  • Yogesh,

    What do you mean that your 'command control reports are not getting
    refreshed'?

    Are you stating that your authorized sessions and keystrokes are not
    showing up in Reporting?

    - Brett


    yogesh09021983;13023 Wrote:
    > Hey Brett,
    >
    > Thanks a lot for your efforts. I have tried the commands as you told
    > and they now works fine.
    >
    > Now the only problem is, my command control reports are not getting
    > refreshed. The following error is coming in the unifid.logs file:
    >
    > Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    > SSL connection from 192.168.200.28
    >
    > ( I have installed my framework manager on 192.168.200.28. Could this
    > be the problem for logs not refreshing.)
    >
    > The contents of my log file are as follows:
    >
    > Tue Jul 17 12:14:13 2012, 273, 716, 1452, Info, secaudit replMembers
    > client:localhost rc:0 status:0 (16ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, strfwd replMembers
    > client:localhost rc:0 status:0 (0ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, syslogemit replMembers
    > client:localhost rc:0 status:0 (0ms)
    > Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, registry svcRegister
    > client:win2k3en-2a6o5d rc:0 status:0(win2k3en-2a6o5d) (172ms)
    > Tue Jul 17 12:14:13 2012, 289, 488, 1452, Info, Registration successful
    > for win2k3en-2a6o5d to win2k3en-2a6o5d:29120
    > Tue Jul 17 12:17:44 2012, 617, 2584, 1452, Info, https GET /
    > client:192.168.200.28 rc:0 status:200(OK) (63ms)
    > Tue Jul 17 12:17:44 2012, 679, 2584, 1452, Info, https GET
    > /LoadFlash.js client:192.168.200.28 rc:0 status:200(OK) (15ms)
    > Tue Jul 17 12:17:44 2012, 789, 2696, 1452, Info, https GET /fitFlash.js
    > client:192.168.200.28 rc:0 status:200(OK) (0ms)
    > Tue Jul 17 12:17:44 2012, 789, 2740, 1452, Info, https GET /Help.js
    > client:192.168.200.28 rc:0 status:200(OK) (0ms)
    > Tue Jul 17 12:17:49 2012, 226, 2740, 1452, Info, https GET /favicon.ico
    > client:192.168.200.28 rc:0 status:404(Not Found) (16ms)
    > Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
    > SSL connection from 192.168.200.28
    >
    >
    > Regards,
    > Yogesh



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=2943