wx fg · Jun 2, 2018

how to grant start/stop/restore privilege to user who is not root


when I logon linux with a not root user, and then call ccontrol start/stop cache,    show no permisson .

 how to grant start/stop/restore privilege to user who is not root .


0 337
Discussion (5)3
Log in or sign up to continue

You could put an entry in /etc/sudoers to allow them to run ccontrol.

This is true, and adding the user to the group to stop and start is the right approach.  However, I wanted to comment on making users members of the cacheusr group, as this has large security implications on most systems.

There are two groups used in a Cache install: one is the set of users allowed to start and stop the instance, the other is an internal tool for managing file access. 

By default, the internal group (the "Effective group for Caché processes") is cacheusr.  No real users should be a member of this group.  The documentation on this page says:  "On a secure system, no actual user should be a member of this group. By default, this group is cacheusr, but you can change the group during installation."  A user who is a member of the cacheusr group will generally be able to alter or delete Cache databases, config files, and binaries at the OS level.  This is a large ability, and one you may not want to hand to users for their standard logins, and instead reserve for cases where they specifically show they mean to do that.

During install, if you chose any setting other than 'minimal' for your initial security settings, you'll be prompted to pick the group to stop and start the instance.  I would recommend picking a group other than cacheuser in order to keep these two functions separate.   Then you can add the users who you want to be able to start and stop the instance to this different group.  Note that changing this group manually, after install, is not recommended.

thanks.   But the error is   "set gid failure: Operation not permitted" when I execute "cctontrol stop cache" after I have modified the user's group to cacheusr.

When Caché was installed, a group was defined for users who may stop/start/restart it (most likely cacheusr). You'll need to make the non-root user a member of that group, unless you'd prefer to use sudo as previously mentioned.

$ sudo usermod <username> -G cacheusr -a

If the user is already logged in, he/she may need to run newgrp to select cacheusr as their primary group:

$ newgrp cacheusr

Three possibilities:

  1. Caché wasn't installed to run as cacheusr
  2. a second, administrative group was created for performing start/stop operations and users will need to be added to that instead (see @Katherine Reid's comments)
  3. Someone jiggered the permissions for the binaries in <installdir>/bin; those will need to be fixed