sysmgr(1M) sysmgr(1M) NAME sysmgr - System Manager - Access to Desktop System Administration SYNOPSIS /usr/sysadm/bin/sysmgr DESCRIPTION The sysmgr command is available from the Desktop Toolchest and allows the user to access Desktop System Administration Managers and Active Guides. This document provides an overview of the Desktop System Administration model and describes how to use the System Manager. IRIX 6.5.14 updates the System Manager appearance to adhere to modern SGI branding guidelines (layout, colors, and font), but System Manager functionality is the same. Graphical Components Desktop System Administration is made up of several graphical components: Manager Displays the icons for a set of similar objects on the system. For example, the Disk Manager displays one icon for each disk on the system. These icons may be dragged onto the Desktop for future access. Each Manager also provides access to the common tasks that can be performed on the icons it displays. For example, from the User Manager the user can add a new user account, change an account password, or delete a user account. These tasks appear in the row of buttons below the item icons as well as in the Task menu of the Manager. Active Guide A graphical interface that steps the user through a specific System Administration task. For example, the Add a Modem Guide assists the user in setting up the system to recognize and use a modem that has been attached to this system. No changes will be made to the system until the user has filled in all of the required information and pressed the "OK" button. All changes to the system made through Desktop System Administration software will be logged to /var/sysadm/salog and can be viewed by the System Administration Log Viewer viewlog(1M). See below for information about privileges and system security. Status Panel Displays detailed information about a specific object on this system. For example, if the user selects a disk icon in the Disk Manager and press the "Get Info..." button, a Status Panel will be displayed that provides additional information about the disk. (The user can also select an icon on the Desktop and select "Get Info" from the right-mouse-button menu to display the Status Panel). Each Status Panel also provides access to common tasks that can be performed on the selected item. Privileges The Privileges mechanism gives the system administrator fine-grain control over which users can access the System Administration tasks. root is the Administrator account of the system. root has the ability to grant specific privileges to users so that they can perform a limited set of System Administration tasks, or root can designate a user as privileged which allows that user to perform any System Administration task. If there is no root password on the system, all users are considered to be privileged users. When a user attempts to launch a Manager or Active Guide which requires privileges and the user has been granted that specific privilege or is a privileged user, the item is launched. If the user is not privileged, a dialog will appear. The user must enter the root password to proceed, and has the option of permanently gaining privileges for this item (if the root password entered is correct). The graphical components of the Desktop System Administration software do not administer the system directly. Instead, they use runpriv(1M) to execute the desired commands. This eliminates the need for the graphical components to be setuid root and thus eliminates a class of possible attacks on the system. The following setuid root programs implement the privilege mechanism. runpriv(1M) Runs privileged operations on behalf of a non-root privileged user. checkpriv(1M) Checks the privileged database to see if a non-root user has a particular privilege. This needs to bet setuid root because it needs to be able to determine whether there is a root password on the system, and on systems this means consulting /etc/shadow which is typically not readable by non-root users. The following setuid root programs maintain the privilege database. They are setuid root so they can do their work when a non-root user runs them and supplies the root password. This allows a non-root user to use the graphical user interface PrivilegeManager(1M) to add and remove privileges if that user can supply the root password. The ability to change the privilege database is not a privilege; root cannot assign privilege database capabilities to non-root users. addpriv(1M) Adds privileges to a user. rmpriv(1M) Removes privileges from a user. addprivuser(1M) Makes a user fully privileged. A fully privileged user has all system administration privileges. rmprivuser(1M) Removes a user's fully privileged status. adddefpriv(1M) Makes a privilege a default privilege, which means that any user can use it. The system comes configured with several default privileges which enable non-root users to find out information such as what filesystems are on what disks. See PrivilegeManager(1M) for the list of default privileges on the system. rmdefpriv(1M) Remove a privilege's default privilege status. For example, if the administrator wishes to allow user "pat" to add and remove modems on the system, the administrator could use the command: '/usr/sysadm/bin/addpriv pat addmodem deletemodem'. The administrator could also use the PrivilegeManager(1M) graphical interface. See the above referenced man pages for more details. There is also a chkconfig(1M) option that controls whether privileges are enabled. If root runs chkconfig privileges off, non-root users will not be able to perform system adminstration tasks unless they can provide the root password. If the administrator wishes to disable that functionality as well, the setuid bits can be removed from the six programs described above and the privilege mechanism will be completely disabled. addpriv and rmpriv support the -chkconfig option for running chkconfig to turn privileges on or off. Using System Manager sysmgr displays a window divided into two vertical columns. The column on the left is the Table of Contents, listing the categories of System Administration Managers and Active Guides available to the user. To display a category in the right-hand column, click on the hypertext name of the category. The right-hand column of System Manager displays the current category. It contains a brief description of the category, and lists each Manager and Active Guide. To launch a Manager or Active Guide, use the mouse to click on the hypertext title or icon of the item. You may also drag the icon for the item onto the Desktop for future use. sysmgr uses runcatalog(1M) to launch Managers and runtask(1M) to launch Active Guides. The items are launched in the background as separate processes, so it is possible to interact with System Manager while a Manager or Active Guide is up and running. Only one copy of a particular Manager or Active Guide will run on the system at any given time. If you attempt to launch an item that is already running, it will be opened and raised to the top of the window hierarchy. sysmgr comprises several categories: Overview The Overview describes the set of categories available in System Manager. About This System The document for this category is generated by the system at the time the user requests it. The document is generated by the cgi-bin script /var/www/cgi-bin/ghinv/ghinvMain, which enhances and adds to the output from the hinv(1) command. Search This section allows the user to do a keyword search on the Managers and Active Guides that can be launched via System Manager. The search looks at a pre-defined set of keywords that has been defined for each Manager or Active Guide rather than looking at the text in System Manager. If a match is found, the title of the System Manager page where the item resides is displayed along with the item icon and title so that the item can be launched directly from the search results. Software This category displays the set of Managers and Active Guides that allow the user to install software and obtain software licenses. For more information, see swmgr(1M) and LicenseManager(1M). Hardware and Devices This category displays the set of Managers and Active Guides that allow the user to add or remove devices on this system. Devices include modems, MIDI devices, printers, mouse pointers, and tablets. For more information, see printers(1M), SerialDeviceManager(1M), addSerialDevice(1M), deleteSerialDevice(1M), addModem(1M), deleteModem(1M), DiskManager(1M), initDisk(1M), mountfs(1M), umountfs(1M), verifyDisk(1M), xlvCreateLV(1M), xlvExtend(1M), xlvDelete(1M), xlvShow(1M), mkfsXfs(1M), getDiskInfo(1M), RemovableMediaManager(1M), formatRMedia(1M), shareRemovableMedia(1M), unshareRemovableMedia(1M), monitorRemovableMedia(1M), unmonitorRemovableMedia(1M) Security and Access Control This category displays the set of Managers and Active Guides that allow the user to add and remove user accounts and set the level of security on this system. For more information, see SecureSystem(1M), UserManager(1M), addUserAccount(1M), checkPassword(1M), deleteUserAccount(1M), modifyUserAccount(1M), configAutoLogin(1M), updateclogin(1M), permissions(1M), modifyPermissionsAndOwnership(1M), sharemgr(1M), sharefs(1M), unsharefs(1M), shareRemovableMedia(1M), unshareRemovableMedia(1M), sharePrinters(1M), unsharePrinters(1M), PrivilegeManager(1M), addpriv(1M), addprivuser(1M), rmpriv(1M), rmprivuser(1M) Network and Connectivity This category displays the set of Managers and Active Guides that allow the user to set up connections to the local network and to the Internet. For more information, see NetIfManager(1M), configNetIf(1M), configec0state(1M), configdefaultRoute(1M), configipforwardstate(1M), setNameServers(1M), nisSetup(1M), configResolver(1M), nfsSetup(1M), ypfiles(4), filesystems(4), sharefinder(1M), getExportList(1M), listPrinters(1M), FilesystemManager(1M), listAllDiskFS(1M), mountfs(1M), umountfs(1M), setFsNotifyLevel(1M), xlvShow(1M), HostManager(1M), addHost(1M), deleteHost(1M), ISDNManager(1M), execisdnconf(1M), execisdnstat(1M), setisdnparm(1M), stopisdnd(1M), PPPManager(1M), addpppin(1M), addpppout(1M), deleteppp(1M), execppp(1M), getallpppinisdn(1M), getallpppinmodem(1M), getallpppoutisdn(1M), getallpppoutmodem(1M), getpppin(1M), getpppout(1M), removepppin(1M), removepppout(1M), stopppp(1M) Files and Data This category displays the set of Managers and Active Guides that allow the user to backup and restore the data on this system. For more information, see FilesystemManager(1M), listAllDiskFS(1M), mountfs(1M), umountfs(1M), setFsNotifyLevel(1M), xlvCreateLV(1M), xlvDelete(1M), xlvShow(1M), BackupAndRestoreManager(1M), backup(1M), restore(1M), unschedBackup(1M) System Performance This category displays the set of Managers and Active Guides that allow the user to monitor and tune System Performance. For more information, see SwapManager(1M), addLocalFileSwap(1M), addVirtualSwap(1M), removeSwap(1M), ProcessManager(1M), listProc(1M), gmemusage(1), gr_osview(1), gr_top(1), sysmon(1M), and viewlog(1M) NOTES The Restart System and Shut Down System tasks are not available from System Manager but instead can be accessed from the System tile of the Toolchest. For more information on these tasks, see dtshutdown(1M) FILES /usr/sysadm/ Root directory for sysadmdesktop executables and dso's /usr/sysadm/adminclass/ Contains the set of dso's for each admin class. An admin class monitors and administers a set of system administration objects. For example, SaUserAccountClass.so is responsible for monitoring, creating, modifying, and removing user account objects on the system. /usr/sysadm/authdso/ Contains the set of dso's used for each type of authentication. At this time, only UNIX authentication (in other words, request root password) is implemented. /usr/sysadm/bin/ Contains the set of commands that implement the sysadmdesktop product. These commands do not make changes to the target system, but collectively allow the user to access the tasks, managers, status panels, and privileged commands. See the individual man pages for each command for more details. /usr/sysdm/privbin/ Contains the set of privileged commands that make changes to the target system. The user must be privileged (in other words, be root or be assigned the designated privilege) to run these commands. See runpriv(1M), privileges(4), and the man pages for each privileged command for more details. /usr/sysadm/catalogdso/*.so Contains the dso's for each manager in the sysadmdesktop product. For example, SaUserAccountCatalog.so implements the User Manager. /usr/sysadm/catalogdf/*.cdf Contains a descriptor file for each manager in the sysadmdesktop product. The descriptor file defines information about a manager, including dso name, manager name, and keywords without requiring the manager code itself to be loaded into memory. For example, SaUserAccountCatalog.cdf contains information about the User Manager. /usr/sysadm/paneldso/*.so Contains the dso's for each status panel in the sysadmdesktop product. A status panel shows detailed information about a specific system object. For example, SaUserAccountPanel.so implements the user account status panel and will display information about a specific user account. Status panels do not have a corresponding descriptor file. The information describing a status panel is included in the relevant manager descriptor file. For example, /usr/sysadm/catalogdf/SaUserAccountCatalog.cdf contains the path of the user account status panel dso. /usr/sysadm/taskdso/*.so Contains the dso's for each task in the sysadmdesktop product. For example, SaAddUserTask.so implements the Add User Account task. /usr/sysadm/taskdf/*.tdf Contains a descriptor file for each task in the sysadmdesktop product. The descriptor file defines information about a task, including dso name, task name, and keywords without requiring the task code itself to be loaded into memory. For example, SaAddUserTask.tdf contains information about the Add User Account task. /usr/sysadm/taskdf/*.edf, /usr/sysadm/catalogdf/*.edf Contains a descriptor file for generic executable programs. The descriptor file defines information about an executable, including icon type, executable name, and keywords without requiring the executable code itself to be loaded into memory. For example, SaViewCPUUsageTask.edf allows sysadmdesktop components to launch gr_top, which is not part of the sysadmdesktop product. /var/sysadm/ Root directory for sysadmdesktop configuration files. /var/sysadm/backups/ Contains a list of scheduled backups. These may be viewed with the Backup and Restore Manager BackupAndRestoreManager(1M). /var/sysadm/config/clogin.conf Read by clogin to determine which accounts to show or hide. Values are set by the Configure Clogin task. /var/sysadm/config/default.cshrc, /var/sysadm/config/default.login, /var/sysadm/config/default.profile These are the default .cshrc, .login, and .profile files that are copied into a new home directory, as specified by /var/sysadm/config/newaccount.config and /var/sysadm/config/newhomedir.config. /var/sysadm/config/deleteaccount.config Determines what actions are taken when a user is deleted from the system by the Remove User Account task. As shipped, the only action is to run the script /var/sysadm/config/deleteaccount.script (as root). See file comments for details. /var/sysadm/config/deleteaccount.script Default script invoked by /var/sysadm/config/deleteaccount.config when a user account is deleted from the system by the Remove User Account task. As shipped, this script takes no action. Note that this script will be run as root. See file comments for details. /var/sysadm/config/files.config Lists the system files that are considered "critical" to system functioning and which are normally not available to sysadmdesktop components. For example, the Permissions Manager will not change the ownership or permissions of files listed here. /var/sysadm/config/groups.config Lists default groups in /etc/group and controls how the sysadmdesktop product will display them. See file comments for details. /var/sysadm/config/newaccount.config Determines what actions are taken when a new user account is created by the Add User Account task. As shipped, the files /var/sysadm/config/default.* are copied into the new home directory (if they don't already exist) and /var/sysadm/config/newaccount.script is run (as root). See file comments for details. /var/sysadm/config/newaccount.script Default script invoked by /var/sysadm/config/newaccount.config when a new user account is added to the system by the Add User Account task. This script is shipped with the default action of creating the new user's .lang file. Note that this script is run as root. See file comments for details. /var/sysadm/config/newhomedir.config Determines what actions are taken when a new home directory is created for an existing user by the Modify User Account task. As shipped, the files /var/sysadm/config/default.* are copied into the new home directory and /var/sysadm/config/newhomedir.script is run (as root). See file comments for details. /var/sysadm/config/newhomedir.script Performs actions on a new home directory created for an existing user by the Modify User Account task. As shipped, this script takes no action. Note that this script is run as root. See file comments for details. /var/sysadm/config/useraccounts.config Lists special user accounts in /etc/passwd (as shipped) and controls how they are displayed. The sysadmdesktop product will not allow these accounts to be modified or removed using the Modify User Account or Remove User Account tasks. See file comments for details. /var/sysadm/defaultPrivileges/ Contains one file for each privilege that is automatically granted to all users. For example, as shipped, all users may list the available printers using the default privilege listPrinters. See defaultPrivileges(4) for details. /var/sysadm/genNewUid If this user-defined script exists, the Add User Account task will invoke it to generate the next available UID for a new user. Otherwise the next UID will be chosen at random. /var/sysadm/privenviron List of allowed environment variables when running a privileged program using runpriv(1m). If a variable is listed with no value, the value will be inherited from the current environment. If a variable is not listed, it will not be available to the privileged program. /var/sysadm/privhome/ Home directory for all privileged programs. /var/sysadm/privilege Database containing a list of all privileges and a list of which users have been granted those specific privileges. This database should only be modified with PrivilegeManager(1M). /var/sysadm/salog The System Administration Log. Privileged commands write information about who invoked them, what args were used, what actions were taken, and what errors were enountered. Use viewlog(1M) to view this log. /var/sysadm/salog.conf System administration log configuration details. These values are set using the Set System Admin Log Options task. /var/sysadmdesktop/EZsetup/SysSetup/cgi-bin/SysSetup/ Contains scripts and commands that implement System Setup (EZSetup). /var/www/cgi-bin/ghinv/ Contains programs that generate the "About this System" page for /var/www/cgi-bin/sysmgr/search The program that implements the sysmgr(1M) search feature. /var/sysadmdesktop/EZsetup/SysSetup/ Root directory for System Setup documents. /var/www/htdocs/sysmgr/$LANG/ Root directory for localized HTML documents used by System Manager. $HOME/.noWarnInittab This file is used to make sure that the user is only warned once about the existence of the file /etc/inittab.O after an IRIX upgrade. $HOME/.desktop-{host}/SysadmStopNoRootWarnings If this file exists, sysadmdesktop will not warn the user that there is no root password on the system. The file is created when the user is notified that there is no root password and requests that this warning not be shown again. SEE ALSO addpriv(1M), checkpriv(1M), runpriv(1M), runtask(1M), runcatalog(1M), chkconfig(1M), shadow(4). Page 9