How do I restrict Owner running as Root ?
How do I restrict Owner running as Root ?
My Control-M Server is a windows box. I have a unix server loaded as an agent. How can I restrict an owner from running as root. There are restrictions on running their scripts with their ID but if they change the owner name to root, they can submit anything. I added owner IDs in the owner authentication window but it doesnt matter when root is added in the owner field.
The best way to restrict this is via the ctmsec utility on the server. You have to switch Control-M Server security 'on' via the main settings menu and then use the ctmsec utility to allow access to specific userids.
Depending on the number of users you have this could be a lot of work, but it is worth it in the end. The easiest way is to define groups (if lots of users have similar needs). You can also use wildcards, which is helpful and the node can be specified if needed (i.e. you could allow them access as root on one server but not on another).
Some sites don't bother with the Control-M Server security, it does involve lots of work initially, but I always think it's a good idea.
Depending on the number of users you have this could be a lot of work, but it is worth it in the end. The easiest way is to define groups (if lots of users have similar needs). You can also use wildcards, which is helpful and the node can be specified if needed (i.e. you could allow them access as root on one server but not on another).
Some sites don't bother with the Control-M Server security, it does involve lots of work initially, but I always think it's a good idea.
Hi.
Another option would be to invoke the Job Submission Exit (CTMUE102).
This would need to call a script that checks the owner field of the job as it passes through the internal reader before it hits the queue. If it finds an owner = root, then change it to something else. The Control-M Server guide has a sample exit script to do this, but its for UNIX, so you would need to rework this for Windows.
This would be quick and simple.
Graham H
Another option would be to invoke the Job Submission Exit (CTMUE102).
This would need to call a script that checks the owner field of the job as it passes through the internal reader before it hits the queue. If it finds an owner = root, then change it to something else. The Control-M Server guide has a sample exit script to do this, but its for UNIX, so you would need to rework this for Windows.
This would be quick and simple.
Graham H
- th_alejandro
- Nouveau
- Posts: 188
- Joined: 26 Nov 2008 12:00
- Location: Bogotá
About security
Hi Hubba, my recommendation is not to tun jobs as root. This user must be used only by the administrator of UNIX infrastructure. Is very dangerous to give this super power user to commonly users.
Please try to 'organize' your secure policies before try to restrict root user.
Please try to 'organize' your secure policies before try to restrict root user.