andrason@MAESTRO.MITRE.ORG (Jackie Andrason) (03/28/91)
Does anyone know if there is a way to make crp ask for a password when root crps on with the -me option (or a way that root cannot use the -me option when crping? Thanks Jackie Andrason The MITRE Corporation e-mail: andrason@mitre.org
jak@interlan.Interlan.COM (Jeff Koehler) (03/29/91)
>Does anyone know if there is a way to make crp ask for a password >when root crps on with the -me option (or a way that root cannot >use the -me option when crping? A bug in the SR10.1 SPM (Server Process Mgr) has lead me to insist that ALL crp's use the '-me' switch; the crp pseudo-file in /dev will not get the ownership straightened out upon logout without it. If you edit the file '//<node>/sys/node_data/spm_control' you can limit the users by their SID, %.%.% is the default and allows access by everyone. If you systems have the SIDs set up in an orderly fashion, you can restrict 'root' by allowing only normal users to log in: %.hardware.% %.software.% %.other_groups.% This is somewhat backwards from what you want, but will serve the same purpose. More information is available in section 3.8.7 of the HP/Apollo manual Managing Aegis System Software (010852-A00). p.s. I also thought there was a converse method of specifying users that aren't allowed, but brain drain is affecting me for now. This should get you through for now. Don't Note that i didn't specify the file `node_data/spm_control, a subtle point in case you forgot that ` is a link to the local node's //<node>/sys dir! forget to ACL the files so sneaky users won't undo it! ............................................................................. Sr Hardware Engineer . Jeff Koehler Racal InterLan, Inc. . jak@interlan.com Boxboro, MA 508-263-9929 . (or `mighty Ko of the Pampas' to you) ............................................................................. -- Jak ............................................................................. Sr Hardware Engineer . Jeff Koehler Racal InterLan, Inc. . jak@interlan.com
rtb@cernapo.cern.ch (Rainer Tobbicke) (03/29/91)
andrason@MAESTRO.MITRE.ORG (Jackie Andrason) writes: >Does anyone know if there is a way to make crp ask for a password >when root crps on with the -me option (or a way that root cannot >use the -me option when crping? Well, I don't know whether spm_control has possibilities I w not aware of. Otherwise, you could turn on /etc/lprotect -rmtroot readonly, which cuts off crp as root. Unfortunately, it has side effects. It'll keep programs running as root from writing to that node's di, which makes it difficult to run certain services (e.g. lpd) on that node. -- Rainer Toebbicke European Organisation for Nuclear Research (CERN) Geneva, Switzerland rtb@cernapo.cern.ch, rtb@cernvm.cern.ch