Topic
  • 3 replies
  • Latest Post - ‏2013-03-07T23:09:59Z by SystemAdmin
SystemAdmin
SystemAdmin
2092 Posts

Pinned topic Administrative commands without root

‏2013-02-27T02:34:44Z |
Hi,

I am working with a customer who's security requirements do not allow root logins between systems, even with the use of ssh keys. Does GPFS provide the ability to define an ordinary user the ability to issue administrative commands? The site does allow password-less logins by non-root users between systems.

Thanks,
Updated on 2013-03-07T23:09:59Z at 2013-03-07T23:09:59Z by SystemAdmin
  • dlmcnabb
    dlmcnabb
    1012 Posts

    Re: Administrative commands without root

    ‏2013-02-27T05:53:01Z  
    No, GPFS requires root, because it works with system resources that require root, such as system devices.
  • SystemAdmin
    SystemAdmin
    2092 Posts

    Re: Administrative commands without root

    ‏2013-02-27T07:48:06Z  
    • dlmcnabb
    • ‏2013-02-27T05:53:01Z
    No, GPFS requires root, because it works with system resources that require root, such as system devices.
    GPFS allows to configure/customize the commands used to remotely login.

    You can use this ability to define your own custom ssh/scp scripts. Your custom scripts could use another user to ssh and use sudo remotely to execute the command as root. For GPFS this is transparent, the command is executed remotely and ssh is using a non-root user to login passwordless remotely.

    While this would fulfill the customer requirements on paper, there other user effectively becomes equivalent to root, so there is no real security advantage.
  • SystemAdmin
    SystemAdmin
    2092 Posts

    Re: Administrative commands without root

    ‏2013-03-07T23:09:59Z  
    Thanks. I was able to make that work. One more question, I was expecting that I would need to do something special with the remote copy command to fix the permissions since the file is being copied as a non-root user, although it seems to be working fine transferring the file using a non-root user. It appears that the file gets transferred to the remote system into the /tmp directory and then the remote system copies the file. Can I assume that this will continue to work in all cases and not run into permission problems?