21 privilege elevation – HP Systems Insight Manager User Manual

21 Privilege elevation

Privilege elevation enables users without root privileges to run tools requiring root privileges on
HP-UX, Linux, and VMware ESX managed systems. To use this feature with HP SIM, a privilege
elevation utility such as su, sudo, or Powerbroker must be installed on the managed system. Typically,
these utilities are used to sign in as a normal user, then when you want to run a program requiring
root, prefix the command line for that program with the privilege elevation utility's executable. For
example sudo rm /private/var/db/.setupFile. Some of these utilities can be configured
to prompt the user for a password before allowing root access.

For HP SIM to run tools on managed systems using privilege elevation, HP SIM must be configured
to know which user to use to sign in to the managed systems, how to prefix the command line that
it will run, and whether or not the privilege elevation utility will prompt for a password. This is
configured either from the First Time Wizard, or from the Options menu by selecting
Options

→Security→Privilege Elevation. You can configure different values of these settings

for Unix and Linux systems versus VMware ESX systems.

Once you have configured HP SIM to use privilege elevation, it determines if a tool needs privilege
elevation by looking at the tool's execute-as parameter. This is the user the tool should be run as
on the managed system. If this parameter is specified as root in the tool's tool definition file (tdef),
then HP SIM will invoke privilege elevation. If this parameter is not specified in the tdef, then HP
SIM defaults the value of execute-as to be the identity of the user invoking the tool within HP
SIM. If this user is logged in as root, then privilege elevation will also be used.

When HP SIM determines that privilege elevation should be used, it uses SSH to sign in to the
remote system with the user that was configured in the privilege elevation settings page (a specific
user, the user who is currently signed into HP SIM, or a user specified at runtime). If the user must
be specified at runtime, or if a password is required for privilege elevation, these prompts appear
on the Task Wizard page that collects any parameters necessary to run a tool. After HP SIM is
signed into the remote system through SSH, it invokes the command for the tool, prefixed by the
privilege elevation utility executable, and supplies the password if required.

127