I think this is also a security issue.
The clients get registered with admin id's which have only client ownership
authority. It allows them to run the web browser on their own machines.
With only "client ownership" authority, which is how they are created, they
can't alter server storage pools or anything like that.
The problem is that ANY admin id can run QUERIES against the ADSM data base.
That opens up 1 availability issue and 1 real security hole, in my opinion:
1) An ill-advised SQL query issued by can bring the ADSM server to its
knees, and
2) Any client can issue an SQL query that would produce a list of another
client's files. Even though they can't actually access the data, in an
environment with CLASSIFIED data, that is considered a breach of security.
Thus we cannot allow use of the web client here.
I don't think admin id's with only "client ownership" priveleges should be
able to run ANY server command, even queries.
************************************************************************
Wanda Prather
The Johns Hopkins Applied Physics Lab
443-778-8769
wanda_prather AT jhuapl DOT edu
"Intelligence has much less practical application than you'd think" -
Scott Adams/Dilbert
************************************************************************
> -----Original Message-----
> From: Laszlo Nemeth [SMTP:Laszlo.Nemeth AT SYBASE DOT COM]
> Sent: Sunday, May 23, 1999 5:35 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: New Clients automatically Administrators Too with Level
> 2.20
>
> uh what about those of us that do openregistration and don't want
> bunches of adminisrator accounts around?
>
>
> laz
>
>
>
>
> Joshua Bassi <jbassi AT GLORYWORKS DOT COM> on 05/21/99 04:49:03 PM
>
> This feature has been added so that users can use the web b-a client to
> run
> backups, restores, etc.
>
> If you do not want this feature and you don't wish to keep have all these
> "administrators" around, instead of manually removing these
> administrators,
> you can tell ADSM not to add an admin ID when you register all new nodes:
>
> register node nodename password userid=none
>
> This will prevent an admin from being created for this user to login using
> the web b-a client.
>
>
> --------------------------------------------------------------------------
> --
> Joshua S. Bassi E-mail:
> jbassi AT gloryworks DOT com
> Storage Management Team Lead Cell/Pager/VM: (408) 836-7147
> AIX / ADSM Certified Specialist Internet: www.TeamDSG.com
> Dickens Services Group "Server & storage consulting
> services"
> --------------------------------------------------------------------------
> --
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU]On Behalf Of
> Glass, Peter
> Sent: Friday, May 21, 1999 3:19 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: New Clients automatically Administrators Too with Level 2.20
>
>
> Here's a good one.
> Ever since we upgraded to Level 2.20 of V3 R1-MVS a couple of weeks ago,
> every new client node that we register is also registered as an
> Administrator.
> Was this an intentional enhancement that comes with this release?
> I don't know about some folks, but I would rather not have so many
> administrators. Now, after I define a new client node, I pull down the
> Administrator menu and delete the intruder from my Admin list. I plan to
> automate this procedure in the near future, but I hope that IBM removes
> this
> 'enhancement' first, as having to do this is very annoying.
> Those who have upgraded to Level 2.20 may want to check to make sure this
> isn't happening to them, too.
> Peter K. Glass
> Distributed Storage Management
> Norwest Services, Inc.
> *612-667-0086 *612-899-2776
> *peter.k.glass AT norwest DOT com <*************************>
|
