HPE Community
Operating System - HP-UX
1820475 Members
3050 Online
109624 Solutions
New Discussion юеВ

kmem group?

 
Michael D. Zorn
Regular Advisor

тАО10-02-2006 06:15 AM

тАО10-02-2006 06:15 AM

kmem group?

My database vendor wants me to set up a kmem group:

"Add [the db admin] user to the kmem group in the /etc/group file, as described in your OS documentation.

Make sure that /dev/kmem is in the kmem group and its permissions are "group read", e.g.:

crw-r----- 1 sys 13. 1 jun 19 09:05 /dev/kmem
==========

There isn't a kmem group on the machine now, and /dev/kmem is

crw-r----- 1 bin sys 3 0x000001 Nov 14 2000 /dev/kmem

I can't find much about the "kmem group". Their example ll seems to say it's a regular file, and my system's ll says its a special file.

If I just make a new group "kmem" in /etc/group, will that really mean anything to HPUX? Or does it only mean something to the database (Ingres)?
0 Kudos
Reply
3 REPLIES 3
IT_2007
Honored Contributor

тАО10-02-2006 06:18 AM

тАО10-02-2006 06:18 AM

Re: kmem group?

you can't use kmem as group to add. May be read your vendor document again what exactly group to be added.

BTW, kmem is kernel memory for a vpar and adb tool is used to debug memory information.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО10-02-2006 09:12 AM

тАО10-02-2006 09:12 AM

Re: kmem group?

/dev/kmem is the device file that points to raw memory. Giving a DBA access to this device file is like giving the keys to a cement mixer to a 7 year old -- they might not run over anyone but then again, anything can happen. Now the goal seems to be to allow a DBA to read (not write), and perhaps something like this is being suggested:

Add a kmem group to the /etc/group file
Add DBAs to the kmem group
chgrp kmem /etc/kmem

HOWEVER -- I would never do this until your corporate security and auditors evaluate the 'feature'. Every kmem user can read any part of memory including data that is not supposed to be read by corporate policy.


Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО10-02-2006 09:23 AM

тАО10-02-2006 09:23 AM

Re: kmem group?

My first question back to them would be: WHY? Why does the DBA need access to kmem?

As Bill said that is a big security hole and can be very very dangerous.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.