IBM Power Connect, learn, share, and engage with IBM Power. Join / Log in
I need some help with the following...
We have computer operator who doesn't have access to the root or ability to use the su command, but we need him to be able to download the /var/adm/sulog file. I noticed that the file currently has the 600 permissions on it and doesn't allow anyone to download the file unless you are using the root account.
The objective is to be able to download the file from the AIX system to a Windows server for archival and retrieval purposes. I tried adding the user to the adm directory but he wasn't able to download the file. I also tried setting the permissions on the file to 640 and 660 but he wasn't able to download the file.
Do you guys have any ideas on how to accomplish this task? Do I need to change the permissions on the file and give Other/World permission to the file?
Any help or information would be appreciated.
What you should do is automate that task instead of fiddling with permissions to allow an operator to access one file (which doesn't really scale).What you can do to give him access:- You can add him to the sudoers file with the ability to run a single command (cat /var/adm/sulog)- You can add an ACL to the file that gives him read-only access (see aclget, aclput, actledit) (you may want to do this daily, otherwise the ACL may be lost every time the file rotates)- You can run a daily script on root's crontab:#!/usr/bin/ksh
[ -r /var/adm/sulog.oper ] && rm -f /var/adm/sulog.opercp /var/adm/sulog /var/adm/sulog.operchown operator /var/adm/sulog.oper
Also, don't use unencrypted FTP. Use SFTP instead.
Thanks for the reply. We are using SFTP for this transfer.
Thank you for the information. This is really good information to have. The issue I have is that the operators use an application to automatically download the file from the system using sftp. I have try copying and SFTPing the file myself but cannot do it.
I ran a test on the file last night and changed the permissions to 644 and I was able to sftp the file. I wanted to keep the same permissions on the file but I am not sure if this is possible. I sent the information to my manager and waiting for his approval to change the permissions on that file.
Thanks again for your help.
We have bunches of crontab entries to email stuff (stdout/stderr from command invocations, logs, whatever...) to folks each day.
That's a great idea. I should look into that.
May be give him read only access to back up the data – for other.
I went ahead and tested this last night and it worked. I am just waiting to hear back from my manager to either apply this change or look for another option. Ideally, I would like to create a schedule job to send the file to the Windows server automatically so that way we don't need to get the Computer Operators involved.
Thanks for your input. I appreciate it.
Hello everyone,I forgot to update this question. I was able to get this resolved. I ended up creating a schedule job in cron where it first changes the permissions on the file and then copies the file to the target folder with a new name. Here is how the schedule job looks: 02 00 * * * chmod go+r /var/adm/sulog && scp /var/adm/sulog /TEMP/"000000_SuperUser Log_$(date +\%m\%d\%y)"I hope this helps someone having the same issue.Thank you everyone for your help with this question.