Hi, Jack. I believe the client is still using the encrypted cached password
even when you specify the -password option. That or maybe it's defaulting
to the TSM Authorized User/sticky bit behavior described in the manual. In
either case, the truth is that any user that knows the node's password, even
if he's on the local machine, has access to all the files. If you back up
files on apollo, and then restore on apollo from node apollo using
-virtualnodename=apollo, it forces password recognition and Bob can restore
Alice's files on the local server. I tested this as follows using the
3.1.0.8 client and the 4.1.3.0 client.
jester:alex /home/alex$ ls -l /etc/inittab
-rw------- 1 root system 3576 Aug 10 12:59 /etc/inittab
jester:alex /home/alex$ dsmc res -virtualnodename=jester -password=[pw] -pi
/etc/inittab /home/alex/inittab
was able to see and restore /etc/inittab, but I didn't copy and paste the
pick list and restore.
jester:alex /home/alex$ dsmc res -password=[pw] -pi /etc/inittab
was not able to see /etc/inittab. With neither client did I get the
ANS1107E Invalid option/value: '-virtualnode=MachineA'.
I hope this helps.
Alex
-----Original Message-----
From: Jack McKinney [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 12:19 PM
To: [EMAIL PROTECTED]
Subject: Re: dsmc: same vs. different node, root vs. non-root user...
Big Brother tells me that Alex Paschal wrote:
> When you have access to the node's password, TSM assumes you're the
> authorized backup person for the node, which is why you can see everything
> when you use the VirtualNodeName option and plug in the password. As
root,
> obviously you have access to all the files, so you can see them then,
also.
In all three cases (root on the node itself, user on the node itself,
and user on another node) I am supplying the password (i.e., demonstrating
access to the node's password) via '-password=foobar' on the dsmc command'
line.
> A question, what kind of access does the "user that can't see the files"
> have to the files the user is trying to restore?
Read access. The files are root-owned with permissions 644.
> Does the user own those
> files? I did a quick test on my box, and my regular user ID can only
> restore things that I own/have access to. I didn't narrow it down to
> whether it was own or access, but if you're interested, you can test both.
This makes sense to me. Otherwise Alice could have private files
that she wants no one to read (perms 600 in a 700 directory). Bob,
OTOH, does not have root but does have the TSM password, could then
access her files.
Here's the catch. Alice and Bob have accounts on AIX server 'apollo'.
Bob has apollo's TSM password, so he does:
apollo$ dsmc restore /home/alice/ ~/alices-files/ -inactive -pick
-password=apollopw
TSM protects Alice's files, and this command fails. However, it does
no good for TSM to do this, because Bob goes to AIX server 'zeus' and does:
zeus$ dsmc restore /home/alice/ ~/alices-files/ -inactive -pick
-virtualnode=apollo -password=apollopw
This _does_ give him full access to the files! The only situation where
TSM denies access to the files is if a non-root user ON THE ORIGINAL MACHINE
tries to recover files. A non-root user on any other machine has full
access! Try it! I can even access the files from my linux workstation
if I know the node's password.
--
"Master knows everthing except Jack McKinney
combination to safe" [EMAIL PROTECTED]
1024D/D68F2C07 4096g/38AEF076 http://www.lorentz.com
"WorldSecure <Freightliner.com>" made the following
annotations on 08/13/01 17:17:06
------------------------------------------------------------------------------
[INFO] -- Content Manager:
The information contained in this communication is confidential and intended solely
for the use of the individual to whom it is addressed and others authorized to receive
it. If you are not the intended recipient, any disclosure, copying, distribution or
taking of any action in reliance on the contents of this information is prohibited. If
you have received this communication in error, please immediately notify the sender by
phone if possible or via email message.
==============================================================================
