The Setuid/no-password feature in the UNIX Skybot Agent.
When the Skybot Agent is installed, one of the programs included is a binary called 'nopwd'. If a customer wants to enable the 'no-password' feature, then the root user has to run a script called 'allownopwd.sh'. That script performs two actions:
- Enables the program to use 'setuid' to become any user on the system
- Requires the program to be invoked by the Agent's PID and Process Group ID
Thus, this feature has to be enabled (and re-enabled) each time the Agent process is cold-started (there's an 'autostart' script available to make that process easier)
When a 'no-password' job is started by the Agent, a sub-process is created which invokes the 'nopwd' program that enabled the switch to another user. After that, the Agent issues the job's commands to that sub-process, and the job runs.
The autostart.sh script may be used to Start and Stop the Skybot Server or Agent. It is expected to be run by the root user.
This script uses the name by which it was invoked to determine whether it should control the server or the agent.
Basically, when the script is renamed or linked to following filenames it provides different behaviours
- If the script name (or symbolic link name contains string
o Server (in any case) such as skybotServer.sh then it will be used to start and stop the skybot server.
o Agent (in any case) such as skybotAgent.sh then could be used to start and stop the skybot agent.
- If as well it contains the nopwd string (in any case) such as nopwd_skybotAgent.sh then when the agent is started with this script it also run the allownopwd.sh script to allow setuid functionality.
In practice the autostart.sh script will have a symbolic link to one of the option above located in the init startup scripts area and will be used by the UNIX/Linux operating system when the system is started, shutdown or rebooted.