Change profile ownership to non root - Websphere

This is a discussion on Change profile ownership to non root - Websphere ; Currently WAS is installed and started/managed by root. Due to new security policies this is no longer possible, hence I'll need to assign the role to a non root user. According to the infocenter here: http://publib.boulder.ibm.com/infoce...nroot_own.html The way to do ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Change profile ownership to non root

  1. Change profile ownership to non root

    Currently WAS is installed and started/managed by root. Due to new security policies this is no longer possible, hence I'll need to assign the role to a non root user. According to the infocenter here:

    http://publib.boulder.ibm.com/infoce...nroot_own.html

    The way to do it is to create a new profile, and assign the new profile folders to the non root user. What I'm curious is, can we skip the creation of the new profile, and simply reuse the current profile (owned by root) by changing the ownership to the non root user and then modifying the folder paths as indicated. Basically it's just skipping the profile creation step.

    Reason is we want to avoid the hassle of reconfiguring the new profile. Any feedback is appreciated!

  2. Re: Change profile ownership to non root

    calvin.kok@avnet.com wrote:
    > Currently WAS is installed and started/managed by root. Due to new security policies this is no longer possible, hence I'll need to assign the role to a non root user. According to the infocenter here:
    >
    > http://publib.boulder.ibm.com/infoce...nroot_own.html
    >
    > The way to do it is to create a new profile, and assign the new profile folders to the non root user. What I'm curious is, can we skip the creation of the new profile, and simply reuse the current profile (owned by root) by changing the ownership to the non root user and then modifying the folder paths as indicated. Basically it's just skipping the profile creation step.
    >
    > Reason is we want to avoid the hassle of reconfiguring the new profile. Any feedback is appreciated!


    I'm not a product support person, but I see no reason you should have to
    create a new profile.

    If your default system umask is restrictive, though, be careful when you apply
    fixpacks. A profile still needs to read at least some files outside of its
    own directory, and it seems fixpacks can rewrite or create new
    files/directories which your profile will then not be able to read.

    --
    Doug

  3. Re: Change profile ownership to non root

    Hello,
    Yes, you may skip the step that requires a new profile to be created. Please note that if it is intended that non-root users be able to do more than start and stop the server additional steps must be performed. For information on how to enable non-root users to perform tasks such as profile creation, augmentation and maintenance please see the links below.

    http://publib.boulder.ibm.com/infoce...onrootpro.html

    http://publib.boulder.ibm.com/infoce...t_service.html

  4. Re: Change profile ownership to non root

    Hello,
    Yes, you may skip the step that requires a new profile to be created.
    Please note that if it is intended that non-root users be able to do
    more than start and stop the server additional steps must be
    performed. For information on how to enable non-root users to perform
    tasks such as profile creation, augmentation and maintenance please
    see the links below.

    http://publib.boulder.ibm.com/infoce...onrootpro.html

    http://publib.boulder.ibm.com/infoce...t_service.html


    -Regards


    On Jul 13, 5:04*am, calvin....@avnet.com wrote:
    > Currently WAS is installed and started/managed by root. Due to new security policies this is no longer possible, hence I'll need to assign the role to a non root user. According to the infocenter here:
    >
    > http://publib.boulder.ibm.com/infoce...ndex.jsp?topic...
    >
    > The way to do it is to create a new profile, and assign the new profile folders to the non root user. What I'm curious is, can we skip the creation of the new profile, and simply reuse the current profile (owned by root) bychanging the ownership to the non root user and then modifying the folder paths as indicated. Basically it's just skipping the profile creation step.
    >
    > Reason is we want to avoid the hassle of reconfiguring the new profile. Any feedback is appreciated!



  5. Re: Change profile ownership to non root

    Thanks for the reply rlseaton. I was thinking instead of only changing ownership of profile and logs folder to the new non-root user, can I simply change the entire WAS folder (perhaps from opt/IBM/ onwards) from the root to the non-root? It only makes sense...so that the other tasks you mentioned and also future updates can be performed without issues.

    Or is it not as simple as that?

  6. Re: Change profile ownership to non root

    It is as simple as that.
    chown -R uid:gid IBM
    changes the ownership IBM Folder onwards to uid, say a non root guy.
    Make sure you are not using ports owned by root like 80, 443 and so on.

  7. Re: Change profile ownership to non root

    And,
    from 6.1, its not needed to laydown the software as root. Even patches too. In 6.0.xx, to install patches you need to be root. But after updateinstaller 7, you have to install patches as the owner of the WAS software.

  8. Re: Change profile ownership to non root

    xmx,

    wat if, within IBM folder onwards, currently there are files/folders owned by root and also other users?

    if i were to simply chown IBM folder to a non-root user called 'wasadmin', then it will not only replace root (what we want) but also the other users (not what we want?)...

    i havent checked whether all the files/folders are only owned by root though...

    "Make sure you are not using ports owned by root like 80, 443 and so on." - Here did you mean after chown-ing to wasadmin, wasadmin can't use ports 80, 443 etc? Is that because root was the original owner/installer? So how can I change ownership of these ports to wasadmin then?

    Also have you personally tried this method before....sounds more like a workaround than anything and its not documented anywhere.

  9. Re: Change profile ownership to non root

    Is it not simple?
    I do chown -R uid:gid IBM as root.

+ Reply to Thread