Big Brother tells me that Alex Paschal wrote:
> When you have access to the node's password, TSM assumes you're the
> authorized backup person for the node, which is why you can see everything
> when you use the VirtualNodeName option and plug in the password. As root,
> obviously you have access to all the files, so you can see them then, also.
In all three cases (root on the node itself, user on the node itself,
and user on another node) I am supplying the password (i.e., demonstrating
access to the node's password) via '-password=foobar' on the dsmc command'
line.
> A question, what kind of access does the "user that can't see the files"
> have to the files the user is trying to restore?
Read access. The files are root-owned with permissions 644.
> Does the user own those
> files? I did a quick test on my box, and my regular user ID can only
> restore things that I own/have access to. I didn't narrow it down to
> whether it was own or access, but if you're interested, you can test both.
This makes sense to me. Otherwise Alice could have private files
that she wants no one to read (perms 600 in a 700 directory). Bob,
OTOH, does not have root but does have the TSM password, could then
access her files.
Here's the catch. Alice and Bob have accounts on AIX server 'apollo'.
Bob has apollo's TSM password, so he does:
apollo$ dsmc restore /home/alice/ ~/alices-files/ -inactive -pick -password=apollopw
TSM protects Alice's files, and this command fails. However, it does
no good for TSM to do this, because Bob goes to AIX server 'zeus' and does:
zeus$ dsmc restore /home/alice/ ~/alices-files/ -inactive -pick -virtualnode=apollo
-password=apollopw
This _does_ give him full access to the files! The only situation where
TSM denies access to the files is if a non-root user ON THE ORIGINAL MACHINE
tries to recover files. A non-root user on any other machine has full
access! Try it! I can even access the files from my linux workstation
if I know the node's password.
--
"Master knows everthing except Jack McKinney
combination to safe" [EMAIL PROTECTED]
1024D/D68F2C07 4096g/38AEF076 http://www.lorentz.com
PGP signature
