TN0092

What does 'InstallAsRoot' Really Mean?

CD/OSS
Applications Support

Abstract:

Some FUE products require "special privileges" when being installed. The convention in use is that the privileged portion of the installation procedure be invoked by the logging in as root and issuing the command 

	$ ups installAsRoot <product> <version>
(or a similar variant). But often, due to system configuration and/or security issues, being root is not enough. This document describes what is expected and/or required by products when they need "special privileges".

The Problem.

Certain FUE products need "special configuration" which can only be performed by a suitably privileged account. Examples include:

python, perl
require files and symlinks be created in /usr/local/bin for the convenience of users and system administrators (so that perl and python are always accessible, even if not previously setup).
tcsh, bash
require files be copied to /usr/local/bin with proper permissions and ownership (for security reasons)
ssh
requires configuration files and binaries be copied to system areas
kerberos
requires configuration files and binaries be copied to system areas; also requires suid on certain files under the product area $KERBEROS_DIR itself.
systools
requires suid permissions be set on various cmd plug-in scripts under the $PRODUCTS area.

On many systems, /usr/local and/or the $PRODUCTS area are NFS-mounted. For security, these areas may not, in fact, be writeable by the root account on the node where the product installation is taking place.

The Solution.

It is safe to assume that, if a product requires a special installation command similar to 

	$ ups installAsRoot <product> <version>
you will be required to have full write access to the following locations:
  1. /usr/local
    Scripting languages, local utilities, and certain security tools will require symlinks and/or files under /usr/local/bin (or /usr/local/etc). Bear in mind that in a mixed-platform cluster, /usr/local will typically comprise a set of directories, one for each type of system.

  2. $PRODUCTS
    More accurately, root may need to write/modify configuration and/or log files under the area where products are installed. This is determined by the system's upd configuration, usually found in the file $PRODUCTS/.updfiles/updconfig.

  3. Local system disk.
    Security tools, system administration tools, web servers, etc., may need to write configuration files into system areas such as /etc/, /var, etc.

If access to other areas is required, it will be noted in the product's README or INSTALL_NOTE files. (In any case, these files should always be read before a product is installed).

Note that in AFS file systems, root access is usually insufficient to guarantee write access. At present, however, there are no products known to require an admin token for their installAsRoot actions.

The steps to take in order to ensure that areas listed above are writeable will vary depending on the particular configuration of each system, and are left as an exercise for the system administrator.

This document was created in April 2000 by llc.