ADSM-L

Re: cmd, cmdfilename...

1998-10-13 12:17:58
Subject: Re: cmd, cmdfilename...
From: Tom Tann{s <tom.tannas AT USIT.UIO DOT NO>
Date: Tue, 13 Oct 1998 18:17:58 +0200
The problem here, as I see it, is that ANY administrator can issue these
query-commands.
We dont give the root-password or the system/unrestricted-privileges of
adsm to everyone, for obvious reasons..

But when an adsm-admin with no privileges at all can
destroy the server with a few simple commands, I see this as a potential
security problem..

To issue the BACKUP VOLHISTORY and BACKUP DEVCONFIG-commands, you must
have system privilege or unrestricted storage privilege.



On Tue, 13 Oct 1998, Andrew Raibeck wrote:

> Hello Tom,
>
> You are correct, the output will be written to the file
> specified by the CMDFILENAME option. It is up to the
> user running the command to avoid writing to the wrong
> file.
>
> Of course if the user specifies the name of an existing
> file that shouldn't be written over, it can cause
> problems. However there is no way to tell ADSM which
> files it can and which files it can not write over.
> Allowing ADSM to writing only new files (as opposed to
> writing over existing files) would be too
> restrictive, as many users might want to write to the
> same file on a daily basis.
>
> This behavior is no different than the FILENAMES option
> available for the BACKUP VOLHISTORY and BACKUP
> DEVCONFIG commands, or if you redirect the output of
> your Admin QUERY commands, all of which go back to ADSM
> Version 1.
>
> If you would rather not specify CMDFILENAME on the
> QUERY DRMEDIA command, you can instead use the
> SET DRMCMDFILENAME to establish the file name that
> QUERY DRMEDIA will write to, then omit CMDFILENAME
> on the QUERY DRMEDIA command.
>
> Best regards,
>
> Andy
>
> Andy Raibeck
> IBM Storage Systems Division
> ADSM Client Development
> e-mail: storman AT us.ibm DOT com
>
> With the admin CLI on any client, any addsm-administrator can do the
> following: (This is just an example on one stupid thing to do...)
>
> adsm> q drmedia f=cmd cmd='q libvol 3494 &vol' \
> cmdfile=/usr/lpp/adsmserv/bin/adsmstart \
> ANR6763I QUERY DRMEDIA: The specified command has been written to file
> '/usr/lpp/adsmserv/bin/adsmstart'.
>
> Any file on the adsmserver can be overwritten whith these commands, as
> long as they are not opened by other processes...
>
> Is this supposed to be a feature?
> Or am I missing something here?
>
> (Current server: 3.1.2.0, AIX oslevel 4.2.0.0
>  Admin CLI 2.1.0.4 (Aix)
>
<Prev in Thread] Current Thread [Next in Thread>