Re: [OpenIndiana-discuss] LSI 9211 and multipath
Has anyone tried multipath on a single lsi 9211-8i to a dual port backplane ? I have the controler connected to a SM 847E26 and although I see two of every disk (before and after enabling multipath), it doesn't seem to be quite working. The 9211 is using IR mode, so I can get the ses support. stmsboot -L stmsboot: No STMS devices have been found mpathadm list initiator-port Initiator Port: w500605b0035b6420 Initiator Port: w500605b0035b6420 Initiator Port: iqn.1986-03.com.sun:01:6b3db0fb.4df8134d,402a00ff format output: AVAILABLE DISK SELECTIONS: 0. c1t5000C5000A85BA8Ad0 alt 2 hd 255 sec 63> /pci@0,0/pci8086,4027@7/pci8086,3500@0/pci8086,3510@0/pci1000,3020@0/iport@f/disk@w5000c5000a85ba8a,0 1. c1t5000C5000A85D446d0 alt 2 hd 255 sec 63> /pci@0,0/pci8086,4027@7/pci8086,3500@0/pci8086,3510@0/pci1000,3020@0/iport@f/disk@w5000c5000a85d446,0 2. c2t5000C5000A85BA89d0 alt 2 hd 255 sec 63> /pci@0,0/pci8086,4027@7/pci8086,3500@0/pci8086,3510@0/pci1000,3020@0/iport@f0/disk@w5000c5000a85ba89,0 3. c2t5000C5000A85D445d0 alt 2 hd 255 sec 63> /pci@0,0/pci8086,4027@7/pci8086,3500@0/pci8086,3510@0/pci1000,3020@0/iport@f0/disk@w5000c5000a85d445,0 So there are definitely two paths, via two different adapter ports, to each of the two disks installed. I have tried turning on multipath in the controller, but no change. One thing I'm not sure of is should the target port for a disk be the same for both paths? disk, instance #1 name='inquiry-serial-no' type=string items=1 dev=none value='3LQ3C4489846NZ8H' name='target-port' type=string items=1 value='w5000c5000a85d446' disk, instance #3 name='inquiry-serial-no' type=string items=1 dev=none value='3LQ3C4489846NZ8H' name='target-port' type=string items=1 value='w5000c5000a85d445' Mark. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On Jun 14, 2011, at 1:35 PM, Gabriele Bulfon wrote: > Up until OpenSolaris, my first and only command was some "enters" on a "#". > Just root, and just commands, for a life. > Now I had times with opensolaris wanting me to pfexec everything. > On OpenIndiana pfexec behave differently and does not run privileged as it > did on OSol. > And, afterall, sudo just asks for your password once, and it's done > forever > At least for the "first" user you configure on OI. > Where is security here?? sudo "remembers" that you entered your password, and as long as you repeat additional sudo command within the allowable time period, you do not have to enter the password again. However, if you wait until that allowable time period expires then sudo will prompt you for a password again (unless you changed sudoers to not prompt for passwords again). I don't know why (I remember reading about it, but have since forgotten) why pfexec in OI behaves differently than it did for OS. It didn't matter to me since sudo worked, but I preferred pfexec since I had become accustomed to using it in OS, so I usually make my user primary administrator so pfexec works again. It's a bit of a 2x4 approach, but it makes me happy. I'm sure there are better/more elegant ways to accomplish the same thing. As for why I prefer pfexec to sudo, I don't really have a clear, rational answer. It's my understanding pfexec works within the solaris/oi roles system while sudo is just a pure password privilege escalation. I probably have that wrong, so welcome correction. As for security from sudo - it all depends on how you use it. In the default form as installed the password has to be used to escalate privileges initially and for a limited window of time. Assuming any compromise is not the result of password compromise, it slows down the attacker's effectiveness. Where sudo really shines, imo, is the ability to designate safe commands that others can run. Consider a group of developers given access to a test or staging server. The developers are not given carte blanche to do anything they want on the server, but they do need the ability to restart some app or service, such as apache. Using sudo you can allow them to do "apachectl start", "apachectl restart", "apachectl graceful", and "apachectl configtest" as the super user, without permitting them to run any other command or apachectl with any other options than the ones listed. It's a powerful tool for being able to fine tune exactly what commands and options users are allowed to do with escalated privileges. Greg ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Up until OpenSolaris, my first and only command was some "enters" on a "#". Just root, and just commands, for a life. Now I had times with opensolaris wanting me to pfexec everything. On OpenIndiana pfexec behave differently and does not run privileged as it did on OSol. And, afterall, sudo just asks for your password once, and it's done forever At least for the "first" user you configure on OI. Where is security here?? -- Da: Dan Swartzendruber A: Discussion list for OpenIndiana Data: 14 giugno 2011 20.54.35 CEST Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root Ken Gunderson wrote: Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. Agreed. In general, my first and only command (as myself) after logging in, is: 'sudo -i'. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Ken Gunderson wrote: Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. Agreed. In general, my first and only command (as myself) after logging in, is: 'sudo -i'. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On Tue, 2011-06-14 at 11:23 -0700, Alan Coopersmith wrote: > On 06/14/11 10:05 AM, Gabriele Bulfon wrote: > > Thanx for your reply, > > I understand the security issue. > > But, is it so much more secure when you can just sudo commands? > > Where is the difference? > > With sudo, you choose to only run commands that need extra privileges > with those privileges - most of the commands a normal user runs don't > need that, so why use it and run the risk of either operator error > or buggy software doing more damage than normal? > Which is useful in environments where you have jr. sysadmins, backup operators, etc., i.e. different roles, not all of which you want/trust to have full root access, so tasks can be limited to only those necessary to fulfill that role. On a boxes where I, or one or two others I know and trust, are the only admin(s), I find sudo a complete pita and never use it. When I want root it's because I need to get something done and sudo just gets in my way and adds unnecessary typing w/o any benefit - if I'm going to make a typo or brain fart so bad as to blow up the box, sudo is not going to save me. Much better to actually have a # in your prompt and adhere to the old sysadmin adage of sitting on your hands for 5 seconds before hitting enter... The point being here, that while sudo does have it's place, it's not the magic bullet some would have us believe it is. -- Regards-- Ken Gunderson ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On 06/14/11 10:05 AM, Gabriele Bulfon wrote: > Thanx for your reply, > I understand the security issue. > But, is it so much more secure when you can just sudo commands? > Where is the difference? With sudo, you choose to only run commands that need extra privileges with those privileges - most of the commands a normal user runs don't need that, so why use it and run the risk of either operator error or buggy software doing more damage than normal? -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
On 6/14/11 1:10 PM, Ignacio Marambio Catán wrote: Sudo asks for a password even if it is the user's password Well, it *can*, but that's not universally true. You can have it prompt for a password or not. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Sudo asks for a password even if it is the user's password On Tue, Jun 14, 2011 at 2:05 PM, Gabriele Bulfon wrote: > Thanx for your reply, > I understand the security issue. > But, is it so much more secure when you can just sudo commands? > Where is the difference? > Thanx > -- > Da: Ignacio Marambio Catán > A: Discussion list for OpenIndiana > Data: 14 giugno 2011 17.52.39 CEST > Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root > give your user the Primary Administrator profile and then assign him a > profile shell like pfksh. > need i say this is insecure? > nacho > On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon > wrote: > Hi, I was trying to figure out how to let the default install user (sonicle, > in my case) be able > to run commands as root completely, with no pfexec nor sudo. > The user has a root role, in the user_attr file. > If not possible, how can I enable root login normally? > I tried commenting out the "root" role from user_attr, but the system went > into maintenance mode > I had to put it back to have the machine normal again. > Gabriele. > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
Thanx for your reply, I understand the security issue. But, is it so much more secure when you can just sudo commands? Where is the difference? Thanx -- Da: Ignacio Marambio Catán A: Discussion list for OpenIndiana Data: 14 giugno 2011 17.52.39 CEST Oggetto: Re: [OpenIndiana-discuss] User roles and acting as root give your user the Primary Administrator profile and then assign him a profile shell like pfksh. need i say this is insecure? nacho On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon wrote: Hi, I was trying to figure out how to let the default install user (sonicle, in my case) be able to run commands as root completely, with no pfexec nor sudo. The user has a root role, in the user_attr file. If not possible, how can I enable root login normally? I tried commenting out the "root" role from user_attr, but the system went into maintenance mode I had to put it back to have the machine normal again. Gabriele. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] User roles and acting as root
give your user the Primary Administrator profile and then assign him a profile shell like pfksh. need i say this is insecure? nacho On Tue, Jun 14, 2011 at 12:49 PM, Gabriele Bulfon wrote: > Hi, I was trying to figure out how to let the default install user (sonicle, > in my case) be able > to run commands as root completely, with no pfexec nor sudo. > The user has a root role, in the user_attr file. > If not possible, how can I enable root login normally? > I tried commenting out the "root" role from user_attr, but the system went > into maintenance mode > I had to put it back to have the machine normal again. > Gabriele. > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] User roles and acting as root
Hi, I was trying to figure out how to let the default install user (sonicle, in my case) be able to run commands as root completely, with no pfexec nor sudo. The user has a root role, in the user_attr file. If not possible, how can I enable root login normally? I tried commenting out the "root" role from user_attr, but the system went into maintenance mode I had to put it back to have the machine normal again. Gabriele. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Illumos / OpenIndiana podcast
On 06/14/2011 04:51 AM, Dave Koelmeyer wrote: Garrett D'Amore has just posted a link to this: http://systemhelden.com/heldenfunk/2011/06/hf059-illumos-openindiana-niche11 Good listening, nice to hear a bit about the background of the founders. Starting now. For anyone who doesn't understand German, it's all good, just keep listening to the interviews. Jamon ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Illumos / OpenIndiana podcast
Garrett D'Amore has just posted a link to this: http://systemhelden.com/heldenfunk/2011/06/hf059-illumos-openindiana-niche11 Good listening, nice to hear a bit about the background of the founders. -- Dave Koelmeyer http://davekoelmeyer.wordpress.com/ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss