Restricted execution based on command arguments
Once it is determined that a user has the authority to execute a command through the LPRM runlpcmd command, it may be necessary to determine if the user is permitted to run the command using the arguments he or she has specified.
It is not possible for the RMC subsystem or LPRM to make that determination directly, since neither RMC nor LPRM is aware of the meaning of the arguments of the command specified by the LP resource.
- The FilterScript resource attribute is a character string that specifies the full path name of a filter script. A filter script accepts two inputs — a string representing permitted arguments, and a string representing the command arguments specified by the user with the runlpcmd command. The job of the filter script is to determine if the specified arguments are acceptable based on the permitted arguments.
- The FilterArg resource attribute is a character string that specifies the permitted arguments. This does not necessarily specify all the arguments allowed by the resource's command. Rather, it specifies the arguments that are permitted to be specified for the command when it is executed through LPRM using that particular resource.
When a user attempts to run a command using runlpcmd, the filter script is run first. If the filter script indicates the user-specified arguments are not permitted, LPRM will not run the command. If the filter script indicates the user-specified arguments are permitted, LPRM will run the command.
The FilterScript resource attribute value may be an empty string, indicating there is no filter script to run for the command.
[root@ms_node]# lslpcmd rpower_bld
Name = rpower_bld
ActivePeerDomain =
CheckSum = 2480571332
CommandPath = /opt/csm/bin/rpower
ControlFlags = 1
Description =
FilterArg = -n node1,node2,node3
FilterScript = /opt/csm/samples/security/CSMCmdFilter
Lock = 0
NodeNameList = {ms_node.network}
RunCmdName = rpower
[root@ms_node]# lslpracl rpower_bld
Resource ACLs for LPRM
Name Identity Permissions NodeName
rpower_bld host:bld_admin1@LOCALHOST rx ms_node.network
rpower_bld host:bld_admin2@LOCALHOST rx ms_node.network
rpower_bld host:root@LOCALHOST rwa ms_node.network
rpower_bld host:LOCALHOST r ms_node.network
[root@ms_node]# lslpcmd rpower_prod
Name = rpower_prod
ActivePeerDomain =
CheckSum = 2480571332
CommandPath = /opt/csm/bin/rpower
ControlFlags = 1
Description =
FilterArg = -n node4,node5
FilterScript = /opt/csm/samples/security/CSMCmdFilter
Lock = 0
NodeNameList = {ms_node.network}
RunCmdName = rpower
[root@ms_node]# lslpracl rpower_prod
Resource ACLs for LPRM
Name Identity Permissions NodeName
rpower_prod host:prod_admin1@LOCALHOST rx ms_node.network
rpower_prod host:prod_admin2@LOCALHOST rx ms_node.network
rpower_prod host:root@LOCALHOST rwa ms_node.network
rpower_prod host:LOCALHOST r ms_node.network
[root@ms_node]# lslpcmd rpower_any
Name = rpower_any
ActivePeerDomain =
CheckSum = 592515412
CommandPath = /opt/csm/bin/rpower
ControlFlags = 1
Description =
FilterArg =
FilterScript =
Lock = 0
NodeNameList = {ms_node.network}
RunCmdName = rpower
[root@ms_node]# lslpracl rpower_any
Resource ACLs for LPRM
Name Identity Permissions NodeName
rpower_any host:root@LOCALHOST rwa ms_node.network
rpower_any host:super_admin@LOCALHOST rx ms_node.network
rpower_any host:LOCALHOST r ms_node.network
- The Resource ACL of the resource whose Name attribute has the value rpower_bld allows users bld_admin1 and bld_admin2 on the management server to execute rpower.
- The Resource ACL of the resource whose Name attribute has the value rpower_prod allows users prod_admin1 and prod_admin2 on the management server to execute rpower.
- The Resource ACL of the resource whose Name attribute has the value rpower_any allows the super_admin user on the management server to execute rpower.
Note that the rpower_any resource has an empty string value for the FilterScript attribute. This means that when a user executes the rpower command through LPRM using this resource there are no restrictions to the arguments that may be specified. This is in contrast to the rpower_bld and rpower_prod resources. Both these resources specify the path name to some filter script.
For the purposes of this example, assume the CSMCmdFilter filter script expects the FilterArg value to be a specification of nodes that are permitted to be targeted by the rpower command. The value of the FilterArg attribute for the rpower_bld resource then indicates that node1, node2, and/or node3 may be targeted. The value of the FilterArg attribute for the rpower_prod resource indicates that node4 and/or node5 may be targeted.
- The super_admin user can execute rpower through LPRM, targeting any managed node, using the rpower_any resource. He can do this because the Resource ACL of the resource gives him permission to execute the rpower command, and the absence of a filter script for the resource means there are no restrictions on what nodes he can target with the command.
- The bld_admin1 user can execute rpower through
LPRM, targeting node1, node2, and/or node3, using
the rpower_bld resource. He can execute the rpower command
because the Resource ACL of the resource allows it. He is limited
to targeting node1, node2, and/or node3 because
of the values of the FilterScript and FilterArg attributes for the
resource.
The bld_admin1 user cannot execute rpower through LPRM using any other defined resource, because the Resource ACLs of those resources do not give him permission.
- The prod_admin1 user can execute rpower through
LPRM, targeting node4 and/or node5, using the rpower_prod resource.
He can execute the rpower command because
the Resource ACL of the resource allows it. He is limited to targeting node4 and/or node5 because
of the values of the FilterScript and FilterArg attributes for the
resource.
The prod_admin1 user cannot execute rpower through LPRM using any other defined resource, because the Resource ACLs of those resources do not give him permission.