We did it this way:
We setup a script to perform the dsmadmc command that will execute any
command. The script is only readable by root. Using sudo and its controls
we are able to grant access to execute the script, but not read it. You can
also do this with the proper group permissions setup as well and not use
sudo.
So far, we have not found a way to break in to this script. Some may argue
that root can read it, well, root level access should be strictly
controlled.
Paul D. Seay, Jr.
Technical Specialist
Naptheon Inc.
757-688-8180
-----Original Message-----
From: Roger Deschner [mailto:rogerd AT UIC DOT EDU]
Sent: Friday, October 11, 2002 1:33 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Macros
The big advantage of ITSM Server Scripts over OS Shell Scripts (whether Unix
shell, CMS EXEC, or whatever) is passwords. With a Server Script, you are
not execuring dsmadmc for each command - it is done form within an
administrator session. Authentication has already been performed, so admin
ids and passwords are simply not involved. However, for an OS script that
issues the dsmadmc command for each ITSM command, you've got to put an
all-powerful ITSM admin id and password on the command line, in clear text.
This is a big security hazard. Has anyone figured out a way around this?
Roger Deschner University of Illinois at Chicago rogerd AT uic DOT edu
"Give a man a computer program and you give him a headache, but teach him to
program computers and you give him the power to create headaches for others
for the rest of his life." -- R. B. Forest
On Thu, 10 Oct 2002, Alex Paschal wrote:
>Well, I'll assume you mean TSM server scripts instead of shell scripts.
>
>Macros are really useful for multiple one time commands, like
>generating and executing multiple commands where you don't want to have
>to answer "Yes/No" for each command (move datas are a good example).
>Server scripts are more useful for more general scheduled tasks. Quite
>frankly, I have never used server scripts. If I have to do something
>complicated enough to use variable substitution and logic, I use cron'd
>shell or perl scripts for my management instead.
>
>Alex Paschal
>Storage Administrator
>Freightliner, LLC
>(503) 745-6850 phone/vmail
>
>
>-----Original Message-----
>From: Gerald Wichmann [mailto:gwichman AT ZANTAZ DOT COM]
>Sent: Thursday, October 10, 2002 12:04 PM
>To: ADSM-L AT VM.MARIST DOT EDU
>Subject: Macros
>
>
>Why would one use macros instead of a server script?
>
>Gerald Wichmann
>Senior Systems Development Engineer
>Zantaz, Inc.
>925.598.3099 (w)
>
>
>
>This e-mail has been captured and archived by the ZANTAZ Digital
>Safe(tm) service. For more information, visit us at www.zantaz.com.
>IMPORTANT: This electronic mail message is intended only for the use of
>the individual or entity to which it is addressed and may contain
>information that is privileged, confidential or exempt from disclosure
>under applicable law. If the reader of this message is not the
>intended recipient, or the employee or agent responsible for delivering
>this message to the intended recipient, you are hereby notified that
>any dissemination, distribution or copying of this communication is
>strictly prohibited. If you have received this communication in error,
>please notify the sender immediately by telephone or directly reply to
>the original message(s) sent. Thank you.
>
|
