HPE Community
Operating System - HP-UX
1833074 Members
6982 Online
110049 Solutions
New Discussion

Re: howto prvent root on another sd partition from running sd-complex commands ?

 
SOLVED
Go to solution
Sascha Krueger
Occasional Advisor

‎05-05-2004 08:39 PM

‎05-05-2004 08:39 PM

howto prvent root on another sd partition from running sd-complex commands ?

is there a way to prevent root on another superdome hard partition from running par* commands to change/view partition information ?

we would like to give the administration of a second hard partition to another department without letting them change the complex configuration. we wouldn´t even like them to view the config.

just removing the binaries is not appropriate. acl may be a way...

suggestions
Unix - Administration
0 Kudos
Reply
6 REPLIES 6
Stefan Farrelly
Honored Contributor

‎05-05-2004 08:51 PM

‎05-05-2004 08:51 PM

Solution

Re: howto prvent root on another sd partition from running sd-complex commands ?

On their node simply swremove PartitionManager

This is the software that allows reconfiguring of a whole server (be it an SD or 7410/8410) - you dont have to have it installed. On the node you are giving to another dept to admin they dont need this software - its the only way to stop them accessing the whole server (or remove the installed binaries).
Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Dietmar Konermann
Honored Contributor

‎05-05-2004 09:04 PM

‎05-05-2004 09:04 PM

Re: howto prvent root on another sd partition from running sd-complex commands ?

You cannot really prevent root from doing that... since root is allowed to re-install sowftware and re-configure the kernel. However, if you remove the hd_fabric driver from the kernel, then at least a reboot would be required to make the commands work again.

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
Reply
Sascha Krueger
Occasional Advisor

‎05-05-2004 09:18 PM

‎05-05-2004 09:18 PM

Re: howto prvent root on another sd partition from running sd-complex commands ?

from your answers i understand that there is NO way to give away a prtition as if it were a standalone server. is that the point ?

thank you for quick help.
Unix - Administration
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎05-05-2004 09:24 PM

‎05-05-2004 09:24 PM

Re: howto prvent root on another sd partition from running sd-complex commands ?

The only way to give away a server is to remove the software on it that allows them to access the whole phyiscal box (eg. an SD) - which is Partition Manager and/or Vpars (if its a vpar instead of an npar) - but if they have root access they could simply download and reinstall the software then access the whole server again!
Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Sascha Krueger
Occasional Advisor

‎05-05-2004 09:29 PM

‎05-05-2004 09:29 PM

Re: howto prvent root on another sd partition from running sd-complex commands ?

i understand.

thank you for making things clearer...
Unix - Administration
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎05-05-2004 09:37 PM

‎05-05-2004 09:37 PM

Re: howto prvent root on another sd partition from running sd-complex commands ?

Sascha,

the "newer" Superdomes (IA64, PA8800) support a new MP command:

parperm

This command configures nPartition Configuration Privilege.

WARNING: When nPartition Configuration Privilege is unrestricted,
configuration commands issued by one partition can affect
the configuration of another partition. When this privilege
is restricted, configuration commands issued by a partition
cannot affect power or partition assignment of hardware not
already assigned to the partition. Restricting nPartition
configuration privilege does not restrict deallocation of
processors across partition boundaries.

nPartition Configuration Privilege is currently restricted.

Do you wish to unrestrict partition configuration (allowing partitions
to change the configuration of the platform)? (Y/[N])

---
Using this command protects the complex profile globally. So you could lock the configuration to prevent _all_ partitions' root users from changing the settings.

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.