Automic Workload Automation

 View Only
  • 1.  ucybsmgr-listener

    Posted Mar 06, 2020 06:41 AM
    Edited by Michael Lowry Mar 06, 2020 07:57 AM
    Service Manager version 12.3 introduced a new capability on UNIX: a clean separation between the process running as root and the process that opens a listening socket. Prior to v12.3, a single ucybsmgr process fulfilled both roles, running as root and opening a listening socket. Starting with v12.3, these roles are segregated into two separate processes.
    • ucybsmgr: Usually run as root. If started as root, starts most child processes as root, e.g., the UNIX agent, which needs to run as root in order to switch to other users when starting jobs. Starts ucybsmgr-listener as nobody.
    • ucybsmgr-listener: Child process of ucybsmgr. Started as nobody. Opens a listening TCP socket to accept incoming service manager commands from the Service Manager GUI, the Service Manager CLI, or the Automation Engine.

    # lsof | grep 8871
    ucybsmgr   91442            nobody    4u     IPv6          107213485       0t0        TCP *:8871(LISTEN)
    ucybsmgr   91442            nobody    6u     IPv6          107213486       0t0        UDP *:8871

    # ps -ef | grep 91441
    root      91441      1  0 16:06 pts/1    00:00:00 ./ucybsmgr -iucybsmgr_EXP2.ini uc4
    nobody    91442  91441  0 16:06 pts/1    00:00:00 ucybsmgr-listener uc4
    root     108004  91441  1 16:39 pts/1    00:00:10 /opt/uc4/agent/ucxjlx6 /opt/uc4/agent/ucxjlx6_EXP2.ini


    KB article 145565 describes the new program in more detail. Note that the separation of root process and listening process works even if SMGR_SUPPORT_LEGACY_SECURITY is set to Y. (In other words, this feature does not depend on TLS or CAPKI.)


  • 2.  RE: ucybsmgr-listener

    Posted Mar 09, 2020 04:48 AM
    Thanks for this information Michael.

    Does this separation of priviliges only applies to process running as root?
    What about those service manager executed by sidadm? Will they also have a "nobody" childprocess?

    ------------------------------
    Regards,
    Carlos
    ------------------------------



  • 3.  RE: ucybsmgr-listener
    Best Answer

    Posted Mar 09, 2020 05:20 AM
    I'm not sure. It might depend on whether the executing user has the authority to switch to the nobody user, but I suppose it's actually simpler than that. The separation is intended to prevent root from running processes that open listening sockets. So I guess that when ucybsmgr runs as a non-root user, the ucybsmgr-listener child process is started as the same user.


  • 4.  RE: ucybsmgr-listener

    Posted Mar 10, 2020 10:14 AM
    Hello Michael,

    We try to trigger and service with our sidadm and there is "nobody" user but ucybsmgr-listener is with our uc4adm user.



    ------------------------------
    Regards,
    Carlos
    ------------------------------