|
|
|
Running Verastream Using a Root or Non-Root UserID
Technical Note 10016
Last Reviewed 14-Aug-2008
Applies To
Verastream Host Integrator version 6.0 or higher
Summary
Technical Note 10016
Last Reviewed 14-Aug-2008
Applies To
Verastream Host Integrator version 6.0 or higher
Summary
When installing Verastream Host Integrator on UNIX based systems, such as UNIX/Linux, Solaris, or AIX, you must be logged in to the system as root. After installation, the Verastream processes typically run under the root userID. This technical note explains this requirement and provides a potential alternative.
Note: AIX support is available in version 6.5 or higher (not in version 6.0). For additional information about what operating systems are supported in different versions of Verastream Host Integrator, see Technical Note 10030.
For further information about installing this product, download the Verastream Host Integrator Installation Guide from the Solution Library at http://support.attachmate.com/manuals/vsdocs.html.
Note: Before you can download this file, you must enter your volume purchase account (VPA) number for your Verastream Host Integrator product.
Why Verastream Uses UserID Root
The installation documentation states that you should be logged in to the system as root when installing Host Integrator, and that the Verastream processes are subsequently run as root. Root access is used for the following reasons:
- Directory creation. The installation creates a new directory in the host's /etc, /opt, /usr, or /usr/local directory, depending on the UNIX/Linux system. Only root can write to these directories. The Verastream daemons are installed here and run as root processes.
- Threads. To increase concurrency, Host Integrator utilizes a large number of threads. On some systems, such as recent versions of the Linux kernel, threads are treated like processes, and non-root processes are limited to 256 threads.
- Shared memory. Host Integrator may require a large number of shared memory segments. On some hosts, the number of shared memory segments available to non-root processes are limited.
- Authentication. When Host Integrator security is enabled, authentication by the AADS process uses a UNIX security API. This API is only available to processes running with root permissions.
Using a Non-Root UserID
If your corporate security protocol requires that you not run processes as root whenever possible, you may be able to run the Verastream processes with a non-root account. There is nothing inherent to the Verastream software design that requires Verastream to run as root; however, to run as non-root, resource restrictions of the host operating system may need to be modified.
Considerations
Before attempting to configure Verastream to run as non-root, it is important to note the following:
- Only limited testing has been performed on running Verastream under a non-root userID.
- Depending on your host operating system and current configuration, you may need to adjust host parameters as noted in the prior section, Why Verastream Uses UserID Root. And, these points listed may not include all modifications you will need to make for Verastream to run as non-root in your host environment.
- If Host Integrator security is enabled in Administrative WebStation, the Host Integrator AADS process must run as root. (The other Verastream processes can run as non-root.)
Configuring Sun Solaris for Verastream using a Non-Root UserID
Theoretically, you should be able to configure any host so that Verastream can run as a non-root process. The following steps have been successfully used to run Verastream as a non-root daemon on Sun Solaris 7 (SunOS 5.7) and Solaris 8 (SunOS 5.8) systems.
Note: These steps are specific to the Sun Solaris operating system; however, you may be able to use them as a starting point when configuring other operating systems to run with Verastream using a non-root UserID. Additional configuration steps, different command syntax, and different directory and file names may be required when configuring different operating systems, such as Linux, HP-UX, and AIX.
Changing Verastream to Run as a Non-Root Process
- Install Verastream as described in the Verastream Host Integrator Installation Guide.
- Log in to the host as root.
- On the host, create a new user and group to be used for running Verastream. For example, user "vhiuser" and group "vhigroup."
- Change the ownership of all Verastream files and directories to the new Verastream user and group. For example:
chown -R vhiuser:vhigroup /etc/vhi- Use the atstart command to stop all Verastream components.
- Enter the following command to determine the current status of Verastream.
/etc/vhi/bin/atstart -status- Enter the following command to stop Verastream:
/etc/vhi/bin/atstart -stop all- To verify that Verastream has been stopped, re-issue the atstart -status command:
/etc/vhi/bin/atstart -status- Logout as root.
Verifying that Verastream can be Run as a Non-Root Process
- Login using the Verastream user account established in step 3, above.
- Enter the following command to verify that the Verastream components can be successfully started by the non-root account:
/etc/vhi/bin/atstart -start all/etc/vhi/bin/atstart -statusAll installed components should show a status of "Started".
- Verify that the services are actually running under the non-root account.
ps -aef | grep vhiThe host response should look similar to the following:
| |
UID |
PID |
PID |
... |
CMD |
| |
vhiuser |
349 |
1 |
... |
/etc/vhi/bin/atstart -start logMgr |
| |
vhiuser |
352 |
349 |
... |
etc/vhi/jre/bin/../bin/sparc/ native_threads/vhi-logmgr -native -Djava.library |
| |
vhiuser |
402 |
1 |
... |
/etc/vhi/bin/atstart -start AADS |
| |
vhiuser |
403 |
402 |
... |
/etc/vhi/jre/bin/../bin/sparc/ native_threads/vhi-aads -native -Djava.library.pa |
| |
vhiuser |
419 |
1 |
... |
/etc/vhi/bin/atstart -start Server |
| |
vhiuser |
420 |
419 |
... |
/etc/vhi/bin/sesssrvr |
| |
vhiuser |
422 |
1 |
... |
/etc/vhi/bin/atstart -start WebStation |
| |
vhiuser |
423 |
422 |
... |
/etc/vhi/jre/bin/../bin/sparc/native_threads/vhi-webstation -native -Djava.libr |
| |
vhiuser |
437 |
1 |
... |
/etc/vhi/bin/atstart -start HostEmul |
| |
vhiuser |
438 |
437 |
... |
/etc/vhi/jre/bin/../bin/sparc/native_threads/vhi-hostemul -native -Djava.librar |
| |
vhiuser |
1970 |
1968 |
... |
grep vhi |
Creating a Shell Script to Automatically Start Verastream on System Startup
- Log in to the host as root.
- Create a shell script to start Verastream under the non-root account when the host system is booted. The following sample script is named /etc/init.d/vhinonroot:
#!/bin/sh #This script, run by root, starts Verastream as user vhiuser. su vhiuser -c "/etc/init.d/vhi $1" |
Then, use the chmod command to make the script executable for all.
chmod 711 /etc/init.d/vhinonroot- Delete the Verastream symbolic link that was created during the Verastream installation.
rm /etc/rc3.d/S99vhi- Create a new symbolic link to run the new shell script. (In this example, the script name is vhinonroot.)
ln -s /etc/init.d/vhinonroot /etc/rc3.d/S99vhiWhen the host system is shutdown and restarted, the Verastream processes should be successfully started under the non-root account. To verify that Verastream is running, use the /etc/vhi/bin/atstart -status command. If it is not running, examine the /var/adm/messages file for errors.
