Manualshelf

HP-UX Containers (SRP) A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
71727374757677787980
74
# ls /dev/vg53/lvol4
/dev/vg53/lvol4 not found
In the previous sample output example:
The first entry refers to the container root (/) .
The next two entries are mounts created for the container from the global view.
The last entry refers to a lofs mount created within the container.
15.2 Users, groups and authentication
System containers are provisioned with a separate set of configuration files and service daemons to
manage user and groups, login authentication, and name service resolution. Administration of these
activities must be performed inside each system container. Consider using a network-based name
service repository such as NIS or LDAP-UX to minimize per-container user administration activity.
While the name mappings of users and groups support per system container variations, the uid and
gid values themselves are absolute with respect to process attributes. The restrictions defined for the
container control the access of a process to files, other processes, and network interfaces outside of
the container. These restrictions are not affected by the user and group IDs associated to a process
(for example, root privilege will not override container restrictions.)
15.2.1 Displaying system container user, group, and process names from the global view
The following information about processes running in system containers is displayed in an altered
form to protect against accidental global view manipulation:
User name and uid
Group name and gid
Process name
When the HP-UX Containers product is enabled, the reserved user name srp and the reserved group
name srp are registered in the global /etc/passwd and /etc/group databases, and they are
propagated to each system container database as well. When the global view lists processes, each
system container process is displayed with a user of srp(24) and a group of srp(24). These
values are intended for display purposes only no process actually runs with these values. This
mapping prevents the accidental manipulation of system container processes by the global view using
a process list and pattern match for a legitimate user or group name.
Process listing from the global view displays an altered process name for processes running in a
system container. This protection is provided to avoid accidental signaling from the global view by
automated scripts that were designed to manage a single instance of a program through the use of
pattern matching of the process name. The algorithm used to alter the process name is designed to
allow for human recognition of the process while preventing conventional string pattern matching
schemes.
While display of process information is altered, the global view ability to signal all processes on the
system remains unchanged. Administrators who understand the consequences and want to eliminate
the user and group display mapping or the process name display changes can update the tunable
values as follows:
kctune srp_obfuscate_enabled=0 # to disable all process related obfuscation