Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Trouphaz

2 Intern

 • 

70 Posts

1108

December 1st, 2008 12:00

Securing SYMCLI?

Is it possible to secure the SYMCLI such that the root account on a UNIX host has access to run certain commands, but not others? In order to use VCS global clustering with the SRDF agent, the UNIX hosts themselves need to run the symrdf commands to failover, swap and establish the SRDF pairs. I want to limit root's privileges to only those commands though. As is, anyone who has access to the system as root has full access to our DMX.

In our environment, only a subset of the UNIX team is allowed to work on the storage side. The problem is that with Solutions Enabler installed (6.5.2) and access to the gatekeepers, we don't have anything in place other than me telling them they aren't allowed to stop someone from clowning around.

Jurjen_Oskam

56 Posts

December 2nd, 2008 00:00

As you have noticed, by default any administrator of any host connected to a DMX has full administrative access to the DMX. (This even applies when the host doesn't have any gatekeepers, this administrative access will also work over normal devices!)

To solve this, you need to implement SymACL on your DMX. Using SymACL, you can tell the DMX to only accept certain commands from certain hosts. You can also restrict some types of commands on a device level, i.e. you can set things up such that host X can only perform SRDF operations on devices 0100-010F, for example. Since SymACL operates on a host level, it can restrict all users on that host, even root. Also, because the DMX decides which commands it'll accept, it doesn't matter which Solutions Enabler is installed (a full version, or a monitoring-only version).

(Shameless plug: I've submitted a paper about SymACL to the Knowledge Sharing 2008 competition. It will be published mid-February on http://education.emc.com/cust/certification/benefits/ks.aspx.)

Symauth will only be useful if you trust the hosts and administrators. Symauth can authenticate and restrict access on a user basis. However, using symauth the host will send the user name to the DMX, and the DMX trusts this information. Also, often administrators can easily impersonate other users on the system, thereby possibly gaining access they shouldn't have.

dynamox

11 Legend

 • 

20.4K Posts

 • 

87.4K Points

December 1st, 2008 14:00

take a look at using symacl and /or symauth. I am still waiting on symcli to give me more granular control ..for example i want to give somebody permissions to establish clones but not restore.

RRR

6 Operator

 • 

5.7K Posts

December 2nd, 2008 03:00

I've created an RFE for this granularity !

Was this post helpful?

View All

No Events found!

Top