Anonymous_User Absent Member.
Absent Member.
1094 views

Getting Permission denied in Linux agent


Hi,

I have created a rule in the Command control. The pseudocode for the
same is:


Begin Rule: Passwd Rule
If ((user IN Password Group) AND (command IN Password cmd))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop
End If
End Rule: Passwd Rule


In my Password Group i have the following users:
netiq
net

Now when i login into my linux machine, and login with the user "netiq"
using the following command:

su netiq;

Then i execute my command passwd as follows:

>usrun passwd;


i am getting the following error:

/usr/bin/usrun[39]:Permission denied

Also, i have created many rules, and when executing any of them , i am
getting the same "Permission denied" error.

Please help.


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


yogesh09021983;12420 Wrote:
> Hi,
>
> I have created a rule in the Command control. The pseudocode for the
> same is:
>
>
> Begin Rule: Passwd Rule
> If ((user IN Password Group) AND (command IN Password cmd))
> Then
> Set Authorize: yes
> Set Session Capture: yes
> Set runUser = "root"
> Stop
> End If
> End Rule: Passwd Rule
>
>
> In my Password Group i have the following users:
> netiq
> net
>
> Now when i login into my linux machine, and login with the user "netiq"
> using the following command:
>
> su netiq;
>
> Then i execute my command passwd as follows:
>
> >usrun passwd;

>
> i am getting the following error:
>
> /usr/bin/usrun[39]:Permission denied
>
> Also, i have created many rules, and when executing any of them , i am
> getting the same "Permission denied" error.
>
> Please help.
>
> I am using the following linux version:
>
> CentOS release 5.7 (Final)



--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can you create any rule and have it work? Does this rule work in other
environments? I do not have an NPUM system nearby for testing but I
would start by narrowing down the rule to make it simple and functional,
then add bits until it breaks.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQSIT2AAoJEF+XTK08PnB5qA0QAIwV/tp5EWu7vF2dgSExuovS
1fySyQNU8qgRLtIZRifo3XX3p6b2VcbLeaVr+JX56vCz9l9ZT96CasnCzC9RqbS1
QaVFWFCN8WM0T7Y1za2LLoqKWnroXjnSVOeGEeMm5EMIkWmZO3XsYBPON6Rwhkdv
BeGZ0eyORtvu9UkU4oECL0tjOt+cJnLk6P141V58GckElma6xFV5kEzt7JZL6SMu
rfuksa+zIgpf+EJMoD+xTPGTsvfR2VnvqrtmjrdgprasUYRDB4nENqIH2upT4mtA
ukWbW2AkBfVaIM4esCKVI3Jq93yP+X3GNFkM8ugACJrSHybWg44CtFV0xyEVMKPA
wLhG60Ub2VXtW0Cg1ccmBlXrQ4QgLz8lcq8zMHxeb1mjmbCwqDW4fsNgOUKejI4l
a3FedutCuscnviG81o6YTW3znz5lHx/s0kAkfmpSYt0CrTWEVlrR2BMUKpjFQVv2
vqq3CskqZHVHSNXC7VZClA89IO6Nwkv2OLr/ueY4UOSomZreHmcGF0ojpcEPPlMO
2mXk4Zn6OkZceMlb9CYiYqnQK9qt6rlXMy3ZyM7Vd2zXLl5nt1QLqm6vZ1aSaNHu
VroJK61h323Dxq+Yrq0Ju/Noft+LCkRD5i3rPjOv5F/XRbhYuYEwvX3FRd2eT2Ij
uxD+I1Cz0HmJvse563re
=UucQ
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


ab;12503 Wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Can you create any rule and have it work? Does this rule work in
> other
> environments? I do not have an NPUM system nearby for testing but I
> would start by narrowing down the rule to make it simple and
> functional,
> then add bits until it breaks.
>
> Good luck.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJQSIT2AAoJEF+XTK08PnB5qA0QAIwV/tp5EWu7vF2dgSExuovS
> 1fySyQNU8qgRLtIZRifo3XX3p6b2VcbLeaVr+JX56vCz9l9ZT96CasnCzC9RqbS1
> QaVFWFCN8WM0T7Y1za2LLoqKWnroXjnSVOeGEeMm5EMIkWmZO3XsYBPON6Rwhkdv
> BeGZ0eyORtvu9UkU4oECL0tjOt+cJnLk6P141V58GckElma6xFV5kEzt7JZL6SMu
> rfuksa+zIgpf+EJMoD+xTPGTsvfR2VnvqrtmjrdgprasUYRDB4nENqIH2upT4mtA
> ukWbW2AkBfVaIM4esCKVI3Jq93yP+X3GNFkM8ugACJrSHybWg44CtFV0xyEVMKPA
> wLhG60Ub2VXtW0Cg1ccmBlXrQ4QgLz8lcq8zMHxeb1mjmbCwqDW4fsNgOUKejI4l
> a3FedutCuscnviG81o6YTW3znz5lHx/s0kAkfmpSYt0CrTWEVlrR2BMUKpjFQVv2
> vqq3CskqZHVHSNXC7VZClA89IO6Nwkv2OLr/ueY4UOSomZreHmcGF0ojpcEPPlMO
> 2mXk4Zn6OkZceMlb9CYiYqnQK9qt6rlXMy3ZyM7Vd2zXLl5nt1QLqm6vZ1aSaNHu
> VroJK61h323Dxq+Yrq0Ju/Noft+LCkRD5i3rPjOv5F/XRbhYuYEwvX3FRd2eT2Ij
> uxD+I1Cz0HmJvse563re
> =UucQ
> -----END PGP SIGNATURE-----


Hi,

I have created many rule, but none of them is working. I have one linux
machine (having Cent OS) on which i have installed the PUM agent, and i
am executing my commands on the same machine.

Also in the reports,the commands for the user are coming to be not
authorised.

Regards,


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


Yogesh,

With Command Control rules, we start at the top of the ruleset and run
down through them until we match and/or are told to what do to. For
example the options given when creating a rule are 'authorize, return,
stop if authorized, stop if unauthorized'. In your example you said to
"stop". Meaning if this is the first rule in your ruleset, nothing will
EVER continue past this rule as you've told Command Control to never
continue past this rule. We start at the top and head down the 'rule
tree" until we are told what to do.

Your example,

Begin Rule: Passwd Rule
If ((user IN Password Group) AND (command IN Password cmd))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
STOP
End If
End Rule: Passwd Rule

Typically I'd choose the option of "stop if authorized" (instead of
Stop). That way if we match on this rule, we authorize the rule, allow
the command to run and stop searching through the rules for a match. If
we don't match, then it allows the submitted command to run down through
the rest of the rules you have created in an attempt to match.

Looking over your passwd rule I'm not sure it's going to do what you
think it will.

If you typed 'usrun passwd' it's going match on your rule, run the
command as root and attempt to change root's password (which would be
the same as logging in as root and then typing passwd.

With that being said, with a few changes I think you can have it do
what you are wanting to do.

I created a rule that allows you to run 'usrun passwd <user>'

#without npum
yogesh@host1:~> passwd jim
You cannot change the shadow data for `jim'.

#with pum - using the rules below
yogesh@host1:~> usrun passwd jim
Changing password for jim.
New Password:
Reenter New Password:
Password changed.


I've created a very simple rule set that you can import and play with.
Please do the following: Framework GUI | Command Control | from the
left nav, select Backup and Restore. Type in a name for your backup and
then click 'Backup. (this will backup your existing rules).

Next from the Command Control console, from the left nav, select
'Import Settings', then copy and paste the below export. The export
includes a single rule that allows the user 'yogesh' that is part of
the "Password Group" to run the passwd command as root.

<Records>
<CCTree I.id="205">
<CCTree I.id="0">
<Rule I.id="1">
<a.Rule I.key="4314" I.id="205"/>
</Rule>
<AccountGroup I.id="2"/>
<UserGroup I.id="3">
<a.UserGroup I.id="102" I.key="1"/>
<a.UserGroup I.id="103" I.key="2"/>
<a.UserGroup I.key="2396" I.id="203"/>
</UserGroup>
<HostGroup I.id="4">
<a.HostGroup I.id="104" I.key="1"/>
<a.HostGroup I.id="105" I.key="2"/>
</HostGroup>
<Command I.id="5">
<a.Command I.key="2595" I.id="204"/>
</Command>
<Script I.id="6"/>
<Tme I.id="7"/>
<RuleTemplate I.id="8"/>
<Report I.id="9"/>
</CCTree>
</CCTree>
<Rule I.ref="1" I.type="0" name="Passwd Rule" I.disabled="0"
I.id="4314">
<Rule I.type="0" I.key="4314" I.disabled="0" name="Passwd Rule">
<Match>
<a.Logic I.key="2396" value="AND" type="UserGroup">
<UserGroup I.value="2396" user="Passwd.username"/>
</a.Logic>
<a.Logic I.key="2595" value="AND" type="Command">
<Command I.value="2595" cmd="Command.cmd"/>
</a.Logic>
</Match>
<Metadata>
<Exec runAs="root"/>
<SessionCapture value="yes"/>
<Authorized value="yes"/>
</Metadata>
<Disabled/>
<Description value=""/>
<Stop I.value="-3"/>
</Rule>
</Rule>
<UserGroup I.type="0" name="Everyone" I.disabled="0" I.id="1">
<UserGroup I.id="1" name="Everyone">
<Disabled i.value="0"/>
<Description value="All users"/>
<UserList>
<a.User value="*"/>
</UserList>
</UserGroup>
</UserGroup>
<UserGroup I.type="0" name="Submit User" I.disabled="0" I.id="2">
<UserGroup I.id="2" name="Submit User">
<Disabled i.value="0"/>
<Description value="Submit User"/>
<UserList>
<a.User value="-"/>
</UserList>
</UserGroup>
</UserGroup>
<UserGroup I.type="0" name="Password Group" I.disabled="0"
I.id="2396">
<UserGroup I.type="0" name="Password Group" I.key="2396">
<Disabled b.value="0"/>
<RunUsers b.value="1"/>
<SubmitUsers b.value="1"/>
<Description value=""/>
<MgrName value=""/>
<MgrTel value=""/>
<MgrEmail value=""/>
<External b.value="0"/>
<UserList>
<a.User value="yogesh"/>
</UserList>
</UserGroup>
</UserGroup>
<HostGroup I.type="0" name="All Hosts" I.disabled="0" I.id="1">
<HostGroup I.id="1" name="All Hosts">
<Disabled i.value="0"/>
<Description value="All hosts"/>
<HostList>
<a.Host value="*"/>
</HostList>
</HostGroup>
</HostGroup>
<HostGroup I.type="0" name="Submit Host" I.disabled="0" I.id="2">
<HostGroup I.id="2" name="Submit Host">
<Disabled i.value="0"/>
<Description value="Submit Host"/>
<HostList>
<a.Host value="-"/>
</HostList>
</HostGroup>
</HostGroup>
<Command I.type="0" name="Password cmd" I.disabled="0" I.id="2595">
<Command name="Password cmd" I.key="2595">
<Disabled b.value="0"/>
<Description value=""/>
<NewCmd value="/usr/bin/passwd $*"/>
<CmdList>
<a.Cmd value="=~#^(|/usr/bin/)passwd(\\s+|$)#"/>
</CmdList>
</Command>
</Command>
<TestSuite I.type="0" name="Passwd" I.id="3713">
<TestSuite I.type="0">
<Description value=""/>
<a.TestCase>
<expected>
<Command cmd="/usr/bin/passwd jim"/>
<Authorized value="yes"/>
<SessionCapture value="yes"/>
<Exec runAs="root"/>
</expected>
<metadata>
<Logon/>
<Exec runAs="root"/>
<Command cmd="/usr/bin/passwd jim"/>
<Passwd username="yogesh"/>
</metadata>
</a.TestCase>
<a.TestCase>
<expected>
<Command cmd="/usr/bin/passwd jim"/>
<Authorized value="yes"/>
<SessionCapture value="yes"/>
<Exec runAs="root"/>
</expected>
<metadata>
<Logon/>
<Exec runAs="root"/>
<Command cmd="passwd jim"/>
<Passwd username="yogesh"/>
</metadata>
</a.TestCase>
<a.TestCase>
<expected>
<Authorized value="no"/>
<Exec runAs="root"/>
</expected>
<metadata>
<Logon/>
<Exec runAs="root"/>
<Command cmd="passwd jim"/>
<Passwd username="deni"/>
</metadata>
</a.TestCase>
</TestSuite>
</TestSuite>
</Records>





I've also created a test suite that can be used to validate your rules.
In this case I created 3 test cases. See the documentation for more
info on the test suite.

However here is how you access and use it Home | Command Control |
from left nav, Test Suites |

There is one Test Suite called 'Passwd' which contains 3 test cases.
These test cases are run against the current rules to see if they match.
All three should run, however the 3rd test case should not authorize,
because the submit user 'Deni' is not part of the "Password Group". The
test will say it succeed, however it's because I said I expected the
'Deni' test case to fail. The Test suite is a great way to validate the
rules you are creating and allows you to test them and validate they are
matching the rule you think they should be.

Good Luck,

Brett






yogesh09021983;12561 Wrote:
> Hi,
>
> I have created many rule, but none of them is working. I have one linux
> machine (having Cent OS) on which i have installed the PUM agent, and i
> am executing my commands on the same machine.
>
> Also in the reports,the commands for the user are coming to be not
> authorised.
>
> Regards,



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


Hey Brett,

Thanks a lot for your efforts. I have tried the commands as you told
and they now works fine.

Now the only problem is, my command control reports are not getting
refreshed. The following error is coming in the unifid.logs file:

Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
SSL connection from 192.168.200.28

( I have installed my framework manager on 192.168.200.28. Could this
be the problem for logs not refreshing.)

Regards,
Yogesh


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


Hey Brett,

Thanks a lot for your efforts. I have tried the commands as you told
and they now works fine.

Now the only problem is, my command control reports are not getting
refreshed. The following error is coming in the unifid.logs file:

Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
SSL connection from 192.168.200.28

( I have installed my framework manager on 192.168.200.28. Could this
be the problem for logs not refreshing.)

The contents of my log file are as follows:

Tue Jul 17 12:14:13 2012, 273, 716, 1452, Info, secaudit replMembers
client:localhost rc:0 status:0 (16ms)
Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, strfwd replMembers
client:localhost rc:0 status:0 (0ms)
Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, syslogemit replMembers
client:localhost rc:0 status:0 (0ms)
Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, registry svcRegister
client:win2k3en-2a6o5d rc:0 status:0(win2k3en-2a6o5d) (172ms)
Tue Jul 17 12:14:13 2012, 289, 488, 1452, Info, Registration successful
for win2k3en-2a6o5d to win2k3en-2a6o5d:29120
Tue Jul 17 12:17:44 2012, 617, 2584, 1452, Info, https GET /
client:192.168.200.28 rc:0 status:200(OK) (63ms)
Tue Jul 17 12:17:44 2012, 679, 2584, 1452, Info, https GET
/LoadFlash.js client:192.168.200.28 rc:0 status:200(OK) (15ms)
Tue Jul 17 12:17:44 2012, 789, 2696, 1452, Info, https GET /fitFlash.js
client:192.168.200.28 rc:0 status:200(OK) (0ms)
Tue Jul 17 12:17:44 2012, 789, 2740, 1452, Info, https GET /Help.js
client:192.168.200.28 rc:0 status:200(OK) (0ms)
Tue Jul 17 12:17:49 2012, 226, 2740, 1452, Info, https GET /favicon.ico
client:192.168.200.28 rc:0 status:404(Not Found) (16ms)
Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
SSL connection from 192.168.200.28


Regards,
Yogesh


--
yogesh09021983
------------------------------------------------------------------------
yogesh09021983's Profile: https://forums.netiq.com/member.php?userid=683
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Permission denied in Linux agent


Yogesh,

What do you mean that your 'command control reports are not getting
refreshed'?

Are you stating that your authorized sessions and keystrokes are not
showing up in Reporting?

- Brett


yogesh09021983;13023 Wrote:
> Hey Brett,
>
> Thanks a lot for your efforts. I have tried the commands as you told
> and they now works fine.
>
> Now the only problem is, my command control reports are not getting
> refreshed. The following error is coming in the unifid.logs file:
>
> Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
> SSL connection from 192.168.200.28
>
> ( I have installed my framework manager on 192.168.200.28. Could this
> be the problem for logs not refreshing.)
>
> The contents of my log file are as follows:
>
> Tue Jul 17 12:14:13 2012, 273, 716, 1452, Info, secaudit replMembers
> client:localhost rc:0 status:0 (16ms)
> Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, strfwd replMembers
> client:localhost rc:0 status:0 (0ms)
> Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, syslogemit replMembers
> client:localhost rc:0 status:0 (0ms)
> Tue Jul 17 12:14:13 2012, 289, 716, 1452, Info, registry svcRegister
> client:win2k3en-2a6o5d rc:0 status:0(win2k3en-2a6o5d) (172ms)
> Tue Jul 17 12:14:13 2012, 289, 488, 1452, Info, Registration successful
> for win2k3en-2a6o5d to win2k3en-2a6o5d:29120
> Tue Jul 17 12:17:44 2012, 617, 2584, 1452, Info, https GET /
> client:192.168.200.28 rc:0 status:200(OK) (63ms)
> Tue Jul 17 12:17:44 2012, 679, 2584, 1452, Info, https GET
> /LoadFlash.js client:192.168.200.28 rc:0 status:200(OK) (15ms)
> Tue Jul 17 12:17:44 2012, 789, 2696, 1452, Info, https GET /fitFlash.js
> client:192.168.200.28 rc:0 status:200(OK) (0ms)
> Tue Jul 17 12:17:44 2012, 789, 2740, 1452, Info, https GET /Help.js
> client:192.168.200.28 rc:0 status:200(OK) (0ms)
> Tue Jul 17 12:17:49 2012, 226, 2740, 1452, Info, https GET /favicon.ico
> client:192.168.200.28 rc:0 status:404(Not Found) (16ms)
> Tue Jul 17 12:18:18 2012, 320, 2740, 1452, Info, Error (5) accepting
> SSL connection from 192.168.200.28
>
>
> Regards,
> Yogesh



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=2943

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.