Why do several binaries installed with NSM agent technology need the setuid permission?

Document ID : KB000051328
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The solution explains a common situation, why several binaries that are installed with NSM agent technology need the setuid permission.

Solution:

Explanations on the list of files for the setuid setting:

:root (0):Super-User: -rwsr-xr-x -
/opt/CA/SharedComponents/Csam/SockAdapter/bin/csampmux:

Normally, by default when a user tries to execute a file, the process that gets forked because of this execution of a file will have the same permissions as the user. To be clear, the process inherits the default identification of the user.

We allow csampmux server to be started by different users. This would make the process use the user's identification. This approach would not let the process access some files like logs/configuration files because all the users might not have permissions to access them. To ensure that this scenario does not happen, we set the SUID attribute on this executable. This foces the process use the identification of the file owner rather than the identification of the user.

:root (0):Super-User: -r-sr-xr-x -
/opt/CA/SharedComponents/ca_lic/CAmtype:

An important part of each license check is determining if the license installed is adequate for the hardware of the local machine. This is done by rating each CA defined machine type into a tier. To determine the tier of a system, the machine type of the system must first be obtained.

CAmtype in CA-Licensing is used to determine system's CA-defined machine type. Machine type includes the Operating System installed, the processor type, the number of processors, and the speed of the processor from the system. This utility (CAmtype) in CA-Licensing obtains this information and returns it in the following format:
<OS><processor type><num of processors>_<processor speed>.

That's the reason CAmtype has the setuid bit set in the file permissions.

:root (0):Super-User: -rwsr-xr-- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/caiUxsA2:

The set uid has been in effect since the caiUxOs in r3.x and is also needed for the r11.x caiUxsA2 for the binaries ability to access certain metrics as root or else it would not work.

:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/capmproc64:
:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/capmprocfast:
:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/capmprocfast64:
:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/hpaAgent:
/opt/CA/SharedComponents/ccs/atech/agents/bin/hpaAgent:
:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/hpacbcol:
:root (0):Super-User: -r-sr-x--- -
/opt/CA/SharedComponents/ccs/atech/agents/bin/prfAgent:

Performance agents are designed to gather and monitor operating system resource data. It relies on OS low level and kernel function calls for which only root user has access. However, since the agents can be installed under a non-root user account, setuid is required for certain executables to ensure the proper access.

:root (0):Super-User: -r-sr-xr-x - /opt/CA/SharedComponents/ccs/cam/bin/caft:
:root (0):Super-User: -r-sr-xr-x - /opt/CA/SharedComponents/ccs/cam/bin/cam:

Caft and cam have the setuid bit set in the file permissions.These are the executables to start the camf and caftf server executables. This is because they will make use of the file ownership details to decide which user to run camf/caftf under and will change the user ID to the ID of the owning user of the server executable. Since CAM is a common messaging component , this restriction to use the privilige of the owner is essential for security.

:root (0):Super-User: -r-sr-xr-x -
/opt/CA/SharedComponents/csutils/bin/casrvc:

Setuid is required to ensure access to certain metrics as root. Basically it tries to access and run the other components files to start/stop the services and to get the status of the services. Therefore, it requires the root privileges.