ADSM-L

[ADSM-L] Security issues with proxynode

2008-01-10 12:42:08
Subject: [ADSM-L] Security issues with proxynode
From: Matthias Feyerabend <M.Feyerabend AT GSI DOT DE>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 10 Jan 2008 18:41:27 +0100
Just recently I realized that our usage of proxynode feature violates
security standards in UNIX. We have NFS File-Servers lxfsuxx as agent
nodes and a target node lxtsm.

Using  GRant PROXynode server command and   asnodename client option we
allow users to restore data which was backup up on the NFS Fileserver.
But: Users now see not only their own files, they see all files and are
able to restore or retrieve them, not considering the UNIX permissions !

There is a IBM doc APAR IC50565 which explains this and stating that:
... when TSM admin grants a node proxy authority, and you use the
asnodename option to become that node, you can query and restore all
files as if you had root authority.

I wish I had known this before we began using proxynode for our NFS
fileservers !

Matthias



--
--
Matthias Feyerabend                     | M.Feyerabend AT gsi DOT de
Gesellschaft fuer Schwerionenforschung  | phone +49-6159-71-2519
Planckstr. 1                            |
D-64291 Darmstadt                       | fax   +49-6159-71-2519

<Prev in Thread] Current Thread [Next in Thread>