...
Code Block |
---|
# stop services while we make this change: sudo /usr/local/omk/bin/checkomkdaemons.sh stop; # Add approved users, such as nmis, to omkadmin group as needed: sudo usermod -a -G omkadmin nmis; # this directory exists on the OMK NMIS9 VM: OMK_DIR=/data/omk # Set OMK directory structure writable by group: sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}"; sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;; # Set user and group able to write files: sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;; # Set scripts executable by user and group: # This command is purely precautionary: this directory is not likely to exist sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;; # This command is purely precautionary: this directory is not likely to exist sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;; OMK_DIR=/usr/local/omk # These command are exactly as for /data/omk: # Set OMK directory structure writable by group: sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}"; sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;; # Set user and group able to write files: sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;; # Set scripts executable by user and group: # This command should succeed: this directory is likely to exist sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;; # This command should succeed: this directory is likely to exist sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;; # The following commands should be executed after any of the the above commands # to ensure PAR directory structure is re-created with PAR's own permissions set: # Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root. # This is a more secure implementation of the linux /tmp/ directory implementation which also uses sticky bit, but with chmod 1777: sudo chmod 1700 "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"; # Delete existing PAR subdirectories as we may have set incorrect permissions on this directory structure when executing the previous commands. # The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR script exe by that user): sudo rm -rf "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"/*; |
Info |
---|
A good check that PAR is working as envisaged is when a normal user can execute OMK PAR exe scripts (other than those scripts that explicitly require execution by sudo with elevated permissions) and when there aren't any directories found of pattern /tmp/par-*/. (Assuming that environment variable "$PAR_GLOBAL_TMPDIR" points to an existing and user accessible directory). |