Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Unix/NFS group iepm 

File used to keep track of network group privs.

To see who is in a group use the command*

Code Block

netgroup <group_name>, e.g.

...


netgroup u-network-management

or

Code Block

ypmatch <group_name> group

or

Code Block

ypgroup exam \-group iepm

...


Group 'iepm':

...


GID:     2087

...


Comment:

...


Last modified at Aug  2 15:20:42 2006 by jonl

...


Owners:  cal

...


Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm,

...


jerrodw, jiri, maheshkc, rich, ytl

To add someone to a group use (Jerrod and Les can execute this command):

Code Block

ypgroup adduser \-group iepm \-user pinger

# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.

#Note that people with privileges need to change their passwords at least every 9 months.

...

Unix/AFS groups

Purpose 

 afs path

contact(s) 

 SVN access

 /afs/slac/g/scs/net/netmon/repo/svn

 Cottrell

 

 

 

 

 

 

 

 

 

To see the names of groups and privileges on a particular directory, issue the command

...

Code Block

fs la <directory>, e.g.

...


fs la .

or

Code Block

fs la /afs/slac/g/scs/net/pinger

...



jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/

...


Access list for /afs/slac/g/scs/net/pinger/ is

...


Normal rights:

...


&nbsp; maint-pkg-netmon

...

 rlidwk
&nbsp; g-scs

...

 rlidwka
&nbsp; system:slac

...

 rl
&nbsp; system:administrators

...

 rlidwka
&nbsp; system:authuser rl

...


To view members of a particular group listed from 'fs la', issue the command:

Code Block

pts mem <group_name>, e.g.

...



jerrodw@pinger $ pts mem maint-pkg-netmon

...


Members of maint-pkg-netmon (id: \-4786) are:

...


&nbsp; <list of user_id's belonging to this group>

...


To add users to a particular group (only if you have privileges of course), issue the command

...

Code Block

pts adduser \-group <group_name> \-user <user_id>

Network Test hosts

Please note that we would like to see network testing, especially WAN testing, done primarily and by convention from machines set aside for that purpose
(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at http://www-iepm.slac.stanford.edu/about/nodes.html

To find out who can logon to a specified host look at the /etc/passwd file on that host, look towards the end for things like
+@u-iepm
and use the netgroup u-iepm command to see who is in the group.
To find out what hosts u-iepm can logon to use:

Code Block

#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm \*/passwd

...


#bping/passwd:+@u-iepm

...


#iepm-bw/passwd:+@u-iepm

...


#iepm-resp/passwd:+@u-iepm

...


#iepm-sol/passwd:+@u-iepm

...


#monalisa/passwd:+@u-iepm

...


#...

Sudo

The sudoers file can be found at:

Code Block

/afs/slac/package/taylor/prod/base/sudoers

The following lines are in the sudoers file:

Code Block

# NB: The following two aliases define collections of commands for use

...


# by members of the IEPM group on all machines and on the network

...


# trouble-shooting machine, pharlap, respectively.  In this context,

...


# "IEPM group" is not necessarily the same as the NIS group named

...


# "iepm"; changes to the commands in the two aliases, or to the users

...


# who should be authorized to use the commands, still need the usual

...


# approvals.

...



# Commands authorized for members of the IEPM group on all machines:

...


Cmnd_Alias IEPM_ALL     = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR

...



# Commands authorized for members of the IEPM group on pharlap:

...


# The addition of PIPECHAR to this list of commands is granted for

...


# six months only and should be revisted May 28, 2002.

...


Cmnd_Alias IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL

The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are:
cal, cottrell, cxg.

Code Block

iepm group: cottrell, warrenm, cal, dougc, cxg, grosso

...


Pathchar	All	sudo /afs/slac/g/scs/bin/pathchar

...


Pchar		All	sudo /afs/slac/package/netperf/bin/@sys/pchar

...


Pipechar	All	sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar

...


NIKHEF ping	All	sudo /afs/slac/package/nikhef/@sys/ping

...


#Snoop and tcpdump are big security exposures, so please be careful with their use.

...


#Probably a good idea to notify security (email just before you start) if you are

...


#going to use snoop and/or tcpdump

...


Snoop           Pharlap	sudo snoop
Tcpdump		Pharlap	sudo /afs/slac/package/netperf/bin/@sys/tcpdump

...



u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb

...


ssh		All

...



maint-pkg-nikhef: cxg, warrenm, dougc

The following have /usr/sbin/ndd -set privs and sudo kill (via
cmd macro IEPM_PHARLAP) on pharlap (7/19/01):

...