[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Administrator's permission required for the management server (on Linix 7.2)

To: [email protected]
Subject: Re: [FW-1] Administrator's permission required for the management server (on Linix 7.2)
From: Carlos Santos <[email protected]>
Date: Tue, 3 Dec 2002 18:11:01 -0000
Importance: High
In-Reply-To: <[email protected]>
Organization: Whatevernet
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi Changhuan,

        Maybe you should try to put
        # Running Check Point environment script
      . /opt/CPshared/5.0/tmp/.CPprofile.sh
        inside your .profile

        It seems to me that your path may not be complete (I know
cpconfig is under /opt/CPshared/5.0/bin/ but if you look at
/opt/CPshared/5.0/tmp/.CPprofile.sh you will see that this is not
complete LIB_PATHS, etc, etc.)

        The other thing are the permitions...
        Please check the permitions for /opt, /opt/Cpshared,
/opt/Cpshared/5.0, /opt/Cpshared/5.0/bin and for last the "exec" files.
        Do the same for CPfw1-50.
        What you should see is something like this under
/opt/Cpshared/5.0/bin:
-rwxr-xr-x   1 root     other     333552 Aug  1 10:56 cpconfig
        Here you have permission settings for root (read,write,execute)
group other (read, execute) and everyone else (read and execute).
        If you have it like this and you are loading .CPprofile.sh/.csh
there is no reason it wont work.

        For security reasons during firewall instalation when it ask you
to either set group permissions or not and in the case you choose to set
a group and for example you set it to fwadmin group:

        1. You should have fwadmin group already created before you do
this setting.
        2. If the group is created you should have: ....after the
instalation is completed.
-rwxr-xr-x   1 root     other     333552 Aug  1 10:56 cpconfig
        3. If you don't get this don't be afraid (if anyone as anything
against it please tell me) to do:

#under /opt
$chown -R root:fwadmin Cpshared
$chown -R root:fwadmin CPfw1-50
#Under /opt/Cpshared/5.0/bin
$chmod g+x *
#under /opt/CPfw1-50/bin
$"pretty much the same as above :P"

        The last two are just to be done in the case you see something
like this:
-rwx------   1 root     "group"     333552 Aug  1 10:56 cpconfig
        Wich I beleave, will not be the case, but it's kinda double
check:

        4. You're done.

Try it, if you want you can write down the old ownerships CP had set
before this change, but it's your choice.

Hope it helps.

Regards,

Carlos Santos

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Fan,
Changguan
Sent: ter�a-feira, 3 de Dezembro de 2002 16:00
To: [email protected]
Subject: Re: [FW-1] Administrator's permission required for the
management server (on Linix 7.2)


Carlos,

Yes, I have set the following:
- PATH=$PATH:/opt/CPshared/5.0/bin
- CPDIR=/opt/CPshared/5.0
- FWDIR=/opt/CPfw1-50

When I tried to run:
$cpconfig

I got error:
bash: cpconfig: command not found

When I tried
$/opt/CPshared/5.0/bin/cpconfig

I got the following error:
bash: /opt/CPshared/5.0/bin/cpconfig: Permission denied

The main thing seems to be permission problem. The /opt/CPshared/5.0/bin
is owned by root.

Thanks
Changguan

-----Original Message-----
From: Carlos Santos [mailto:[email protected]]
Sent: Tuesday, December 03, 2002 3:38 AM
To: [email protected]
Subject: Re: [FW-1] Administrator's permission required for the
management server (on Linix 7.2)
Importance: High


Hi Changguan,

Have you set the full bin PATH's of the FW on the user's profile?

Regards,

Carlos Santos

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Fan,
Changguan
Sent: segunda-feira, 2 de Dezembro de 2002 20:58
To: [email protected]
Subject: [FW-1] Administrator's permission required for the management
server (on Linix 7.2)


I have a question about the administrator's permission on a management
server installed on a Linux 7.2 platform.

We have CP NG distributed installation. The management server is
installed on Linux 7.2. I have two questions.

1. Can we set up the management server so that a non-superuser can run
the utilities, such as cpconfig, on the management server? 2. When I run
cpconfig, I can set a group permission. The document says: "Normally a
VPN/FireWall Module is given group permission for access and execution.
You can name such a group or instruct the installation procedure to give
no group permissions to the VPN/FireWall Module. In the latter case,
only the Super-User will be able to access and execute the VPN/FireWall
Module."

It looks like setting the group permission will allow the group to run
utilities, such as cpconfig, without the root permission. I tried and it
did not work. I did the following:

a. logon as root and run cpconfig
b. set group permission to the "Firewall" group.
c. create a user account in the Firewall group.
d. logout root and logon as the new user
e. try to run cpconfig and it failed.

Does the group permission affect anything I do on the management server?

_____________________________
Changguan Fan,IT Flex Services, Intel Corp.,
Chandler, AZ 85226-3699
<mailto:[email protected]>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



WhatEverNet Computing, S.A.                http://www.whatevernet.com
Pra�a de Alvalade, n.� 6 - 6.� piso        Tel: +00
1700-036 Lisboa, PORTUGAL                  Fax: +42
_____________________________________________________________________
                      INTERNET MAIL FOOTER
A presente mensagem pode conter informa��o considerada confidencial. Se
o receptor desta mensagem n�o for o destinat�rio indicado, fica
expressamente proibido de copiar ou endere�ar a mensagem a terceiros. Em
tal situa��o, o receptor dever� destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this message.
If you are not the addressee indicated in this message, you may not copy
or deliver this message to anyone. In such case, you should destroy this
message and kindly notify the sender by reply email.
---------------------------------------------------------------------

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



WhatEverNet Computing, S.A.                http://www.whatevernet.com
Pra�a de Alvalade, n.� 6 - 6.� piso        Tel: +00
1700-036 Lisboa, PORTUGAL                  Fax: +42
_____________________________________________________________________
                      INTERNET MAIL FOOTER
A presente mensagem pode conter informa��o considerada confidencial.
Se o receptor desta mensagem n�o for o destinat�rio indicado, fica
expressamente proibido de copiar ou endere�ar a mensagem a terceiros.
Em tal situa��o, o receptor dever� destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] Administrator's permission required for the management server (on Linix 7.2)
  - From: "Fan, Changguan" <[email protected]>

Prev by Date: [FW-1] eToken and SecuRemote
Next by Date: Re: [FW-1] Adding virtual interfaces in NG FP3!
Prev by thread: Re: [FW-1] Administrator's permission required for the management server (on Linix 7.2)
Next by thread: Re: [FW-1] Administrator's permission required for the management server (on Linix 7.2)
Index(es):
- Date
- Thread