21 privilege elevation – HP Systems Insight Manager User Manual

21 Privilege elevation

Privilege elevation enables users without root privileges to run tools requiring root privileges on
HP-UX, Linux, and VMware ESX managed systems. To use this feature with Systems Insight Manager,
a privilege elevation utility such as su, sudo, or Powerbroker must be installed on the managed
system. Typically, these utilities are used to sign in as a normal user, then when you want to run
a program requiring root, prefix the command line for that program with the privilege elevation
utility's executable. For example sudo rm /private/var/db/.setupFile. Some of these
utilities can be configured to prompt the user for a password before allowing root access.

For Systems Insight Manager to run tools on managed systems using privilege elevation, Systems
Insight Manager must be configured to know which user to use to sign in to the managed systems,
how to prefix the command line that it will run, and whether or not the privilege elevation utility
will prompt for a password. This is configured either from the First Time Wizard, or from the Options
menu by selecting Options

→Security→Privilege Elevation. You can configure different values of

these settings for Unix and Linux systems versus VMware ESX systems.

Once you have configured Systems Insight Manager to use privilege elevation, it determines if a
tool needs privilege elevation by looking at the tool's execute-as parameter. This is the user the
tool should be run as on the managed system. If this parameter is specified as root in the tool's
tool definition file (tdef), then Systems Insight Manager will invoke privilege elevation. If this
parameter is not specified in the tdef, then Systems Insight Manager defaults the value of
execute-as

to be the identity of the user invoking the tool within Systems Insight Manager. If

this user is logged in as root, then privilege elevation will also be used.

When Systems Insight Manager determines that privilege elevation should be used, it uses SSH to
sign in to the remote system with the user that was configured in the privilege elevation settings
page (a specific user, the user who is currently signed into Systems Insight Manager, or a user
specified at runtime). If the user must be specified at runtime, or if a password is required for
privilege elevation, these prompts appear on the Task Wizard page that collects any parameters
necessary to run a tool. After Systems Insight Manager is signed into the remote system through
SSH, it invokes the command for the tool, prefixed by the privilege elevation utility executable,
and supplies the password if required.

103