19 privilege elevation – HP Systems Insight Manager User Manual

19 Privilege elevation

Privilege elevation enables users without root privileges to run tools requiring root privileges on HP-UX, Linux,
and VMware ESX managed systems. To use this feature with Systems Insight Manager, a privilege elevation
utility such as su, sudo, or Powerbroker must be installed on the managed system. Typically, these utilities
are used to sign in as a normal user, then when you want to run a program requiring root, prefix the command
line for that program with the privilege elevation utility’s executable. For example sudo rm
/private/var/db/.setupFile

. Some of these utilities can be configured to prompt the user for a

password before allowing root access.

For Systems Insight Manager to run tools on managed systems using privilege elevation, Systems Insight
Manager must be configured to know which user to use to sign in to the managed systems, how to prefix
the command line that it will run, and whether or not the privilege elevation utility will prompt for a password.
This is configured either from the First Time Wizard, or from the Options menu by selecting
Options

→Security→Privilege Elevation. You can configure different values of these settings for Unix and

Linux systems versus VMware ESX systems.

Once you have configured Systems Insight Manager to use privilege elevation, it determines if a tool needs
privilege elevation by looking at the tool's

execute-as parameter. This is the user the tool should be run as

on the managed system. If this parameter is specified as root in the tool’s tool definition file (tdef), then
Systems Insight Manager will invoke privilege elevation. If this parameter is not specified in the tdef, then
Systems Insight Manager defaults the value of execute-as to be the identity of the user invoking the tool
within Systems Insight Manager. If this user is logged in as root, then privilege elevation will also be used.

When Systems Insight Manager determines that privilege elevation should be used, it uses SSH to sign in
to the remote system with the user that was configured in the privilege elevation settings page (a specific
user, the user who is currently signed into Systems Insight Manager, or a user specified at runtime). If the
user must be specified at runtime, or if a password is required for privilege elevation, these prompts appear
on the Task Wizard page that collects any parameters necessary to run a tool. After Systems Insight Manager
is signed into the remote system through SSH, it invokes the command for the tool, prefixed by the privilege
elevation utility executable, and supplies the password if required.

85