HP Serviceguard Manager Plug-in Security Whitepaper, March 2009

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux Cluster



include privilege

appropriate

information (e.g. property sheet) in the returned web page.



enable and disable

privileged

operations

(e.g. delete a p

ackage

) in

the returned web page.



apply

access

control check

before performing

Serviceguard

operations to ser

ice this

request.

The access

control process will be discussed in the next

section

Authorization

Smhrun

To service a request from a clien

t, SgmgrPI needs to retrieve, modify, and/or store data

pertaining

the managed cluster. It does so by calling one or more standard Serviceguard commands (e.g.

cmviewcl

cmapplyconf

cmgetconf

etc

), or shell scripts supplied by

SgmgrPI

on behalf of the

uthenticated user. To

execute these commands using the identity t

hat has been authenticated by

SMH

and PAM

in the lo

gin process, SgmgrPI uses the

SMH's command,

smhrun

. This command is

designed as the uni

fied

mechanism

shared by all

SMH plug

ins to

execute

a command with

intended

identity and

privilege sets

To execute a Serviceguard command or SgmgrPI script, SgmgrPI spawns a process (see path 4 or

figure 1) and execute

the

smhrun

command with the user identity, the name of the command or

script, and

a set of

command

parameters. The child process is owned

the user

hpsmh

, and

command

output is read directly into SgmgrPI process memory.

Note that

smhrun

only run the

commands which have been configured into its secure database; this provides an

additional level of

protection

gainst

executing arbitrary commands.

Some Serviceguard commands require communication between

other

Serviceguard nodes (see path 5

in figure 1). This communication path is protected by Serviceguard and

detail

s of its

operation

beyond the scope of this white

paper.

the document "

Securing Serviceguard

listed in the