Lnode Maintenance Programs (Solaris Resource Manager 1.3 System Administration Guide)

Solaris Resource Manager 1.3 System Administration Guide

Lnode Maintenance Programs

The limadm command is the primary tool available to administrators for maintaining a user's lnode. This command changes Solaris Resource Manager attribute values for a given list of user accounts. If an lnode does not exist for any of the users, then a default-filled blank one is created first. New lnodes are created with the following properties:

flag.real is set;
cpu.shares and cpu.myshares attributes are set to 1;
The flags uselimadm and admin are set to clear;
All other flags are set to inherit;
All limit and usage attributes are set to zero.

The scheduling group of the new lnode is set to user 'other' (srmother) if an lnode for that user account exists, or else to the root lnode.

The limadm invoker needs sufficient administrative privilege to perform the specified changes. The invoker must be the superuser, have a set uselimadm flag, or be a group administrator who is only changing the attributes of members of the scheduling group to which the invoker belongs. Restrictions apply to the use of limadm by group administrators.

Group administrators cannot change the value of their own attributes.
A user's sgroup attribute can only be assigned to the invoker or to a member of the invoker's scheduling group.
Group administrators cannot change the attributes of users outside their scheduling group.
They cannot alter the value of any attribute used to store usages other than term usage. Without this restriction, group administrators could circumvent the group limits in their own lnodes by reducing the usage of one of their children, thereby reducing the group usage.
If they have a flag that evaluates to a value other than the default, group administrators can alter the value of that flag for another member of their group only if they are changing it to be the same non-default value.

This ensures that group administrators with explicitly denied privileges cannot grant those privileges to any users under their influence.

The limadm command allows an administrator to remove an lnode without deleting the corresponding user account in the password map. To use limadm, the invoker must be the superuser or have a set uselimadm flag. If the invoker only has a set admin flag, then the invoker can only modify the lnodes of users under scheduling groups for which the invoker is the group header.