Initializes the Basic OverSeer (BOS) Server process
Synopsis
bosserver [-adminlist filename] [-noauth] [-help]
Options
-adminlist filename
Specifies the file that contains principals and groups authorized to execute bosserver RPCs (usually using bos commands). If
this option is omitted, the bosserver obtains the list of authorized users from the default administrative list file, dcelocal/var/dfs/admin.bos.
-noauth
Invokes the bosserver with DFS authorization checking turned off. In this mode, DFS processes, including the bosserver process, do not check to see
whether issuers have the necessary privilege to enter administrative commands.
This option is intended for use when the BOS Server is initially installed on a server machine. Because it starts the bosserver with DFS authorization checking turned off, it allows the issuer to add members to the admin.bos administrative list and to add a key to the keytab file on the server machine.
Use this mode sparingly, as it presents a security risk. Using this option forces all DFS server processes on the machine to run without DFS authorization checking.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
The help and apropos commands available with all command suites are also available with the bosserver command. See the bos help and bos apropos pages for examples of using these commands.
Description
The Basic OverSeer Server (BOS Server) monitors other DFS server processes, such as the flserver and ftserver processes, running on the machine and
restarts failed processes automatically (without the intervention of a system administrator). The BOS Server, or bosserver process, monitors each server process that has a process entry in
the local BosConfig file. The bosserver process must be run on all DFS server machines. The bosserver command, which resides in dcelocal/bin/bosserver,
is usually added to the proper system start-up file (/etc/rc or its equivalent); the process places itself in the background after it starts.
When it is started, the bosserver creates the dcelocal/var/dfs/adm/BosLog event log file if the file does not already exist. It then appends messages to the file. If the BosLog file exists when the bosserver is started, the process moves it to the BosLog.old file in the same directory (overwriting the current BosLog.old file if it exists) before creating a new version to which to append messages.
The principals and groups in the admin.bos administrative list are authorized to issue BOS commands to stop, start, create, and modify server processes on that machine. For simplified administration, the same admin.bos administrative list can be used by all bosserver processes in the administrative domain.
The first time the bosserver process is initialized, it creates several directories (such as the dcelocal/var/dfs/adm directory and any nonexistent directories along this path), sets the owners to the appropriate identities, and sets the mode bits to provide appropriate access. The bosserver process also creates the dcelocal/var/dfs/admin.bos administrative list file and the dcelocal/var/dfs/BosConfig configuration file if either file does not already exist. On subsequent restarts, the process writes the following message to the BosLog file if the owners and mode bits of these objects are not set appropriately:
Bosserver reports inappropriate access on server directories.
See the reference page for the bos status command for information about the protections the BOS Server wants to see enforced.
Note: Your vendor can modify the owner of directories created by the BOS Server and the permissions those directories are created with. Refer to your vendor's documentation to determine the protections that apply for your version of DFS.
When initially installing the BOS Server on a server machine, use the -noauth option to initialize the bosserver process with DFS authorization checking disabled. This creates the NoAuth file in the dcelocal/var/dfs directory on the local disk; when the file is present, DFS authorization checking is disabled on the machine.
With DFS authorization checking disabled, add members to the admin.bos list and add a key to the keytab file on the server machine. When these steps are complete, use the bos setauth command to enable DFS authorization checking. Because running with DFS authorization checking disabled is a serious security risk, enable DFS authorization checking as soon as the previous steps are complete. The bos status command can be used to determine whether DFS authorization checking is enabled or disabled on a machine; it displays the following message if DFS authorization checking is disabled on a machine (it does not display the message if DFS authorization checking is enabled):
Bosserver reports machine is not checking authorization.
Privilege Required
The issuer must be logged in as root on the local machine.
Output
If problems are encountered during initialization, the bosserver process displays error messages on standard error output. The bosserver process keeps
an event log in the file dcelocal/var/dfs/adm/BosLog.
Related Information
Commands: bos setauth(8dfs)
Files: admin.bos(4dfs)