About Legion security|
How it affects your system
Registering multi-architecture implementations
Other relevant on-line documents:
Logging in to a running Legion system
Legion graphical user interface
Introduction to Legion context space
How to start remote programs in Legion
Sample makefile for remote programs
Legion tty objects
Running a PVM code in Legion
Running an MPI code in Legion|
Quick list of all Legion commands
Usage of all Legion commands
Starting and shutting down Legion 1.5
Using Legion security features
Legion host and vault objects
Adding host and vault objects
The list of all on-line 1.5 tutorials
Depending on how your system is set up, you may need to set up your access to your system before you can run Legion commands. This will probably involve running a command such as this:
$ . ~legion/setup.sh
$ source ~legion/setup.csh
|About Legion security|
Figure 1: Legion security model|
The message layer intercepts every message that is sent from or received by an object. For outgoing messages, the layer uses the implicit parameters associated with the message to determine what security measures to apply. Implicit parameters here are similar to Unix environment variables, although their values are not restricted to strings.
Though the message layer can protect individual messages, it cannot stop an attacker from simply calling the methods of an object. The MayI layer fills this role. When an object that has a MayI layer is called, MayI examines the method call before the method is actually invoked. (The name of MayI comes from the idea that the caller is asking "May I call this method?") If the call passes the access control policy being enforced by MayI, it is allowed. Otherwise, a security exception is returned to the caller.
Please see the System Administrator Manual for more information on the security model.
|How it affects your system|
When you create new users, with legion_create_user, a new context will be created for the new user in the /users context (i.e., /users/user_name). This can be used as the new user's home context. Note that users can only work in the /home, /etc, /temp, /mpi, and /pvm contexts. The admin user can work anywhere in context space.
We should note that Release 1.5 of the system has not been hardened to withstand attack. For example, by sending an appropriately mangled message, a sender can crash an object because the low-level message processing layers will not understand the headers. These changes are currently in progress.
To enable security, enter:
Creating the context "/users" to contain user-objects Creating context "users" in parent "/". New context LOID = "1.3622260c.05.08000000.000001fc..."
Creating the initial system-admin user object, "/users/admin" Please select a Legion password for "/users/admin": New Legion password: xxxx Retype password: xxxx 1.3622260c.6b000000.01000000.000001fc0c... Please enter the Legion password for "/users/admin" to continue: Password: xxxx
Changing ownership of all objects to "/users/admin" 1.3622260c.01..000001fc0cbe1846763f895a... 1.3622260c.02..000001fc0b3b16eb8b2dde29... [...etc.] Changed ownership of 43 objects.
Creating initial ACLs files for all core objects in /home/xxxx/OPR/init_acls Creating ACL for /class/AuthenticationObjectClass class Creating ACL for /class/BasicFileClass class [...etc.]
Creating context "tmp" in parent "/". New context LOID = "1.362dabd6.05.09000000.000001fc..." Creating context "etc" in parent "/". New context LOID = "1.362dabd6.05.0a000000.000001fc..." Creating context "mpi" in parent "/". New context LOID = "1.362dabd6.05.0b000000.000001fc..." Creating context "programs" in parent "/mpi". New context LOID = "1.362dabd6.05.0c000000.000001fc..." Creating context "instances" in parent "/mpi". New context LOID = "1.362dabd6.05.0d000000.000001fc..." Creating context "pvm" in parent "/". New context LOID = "1.362dabd6.05.0e000000.000001fc..." Creating context "tasks" in parent "/pvm". New context LOID = "1.362dabd6.05.0f000000.000001fc..." Done creating acl files Then it sets the ACLs for all existing objects. Setting ACL for /class/AuthenticationObjectClass class Setting ACL for /class/BasicFileClass class [...etc.] All acls set. $
$ legion_login /users/admin Password: xxxx $
|Registering multi-architecture implementations|
$ legion_create_implementation \ $LEGION/bin/$LEGION_ARCH/AuthenticationObject \ $LEGION_ARCH -c /class/AuthenticationObjectClass $