Unix/NFS group iepm
File used to keep track of network group privs.
To see who is in a group use the command*
| Code Block |
|---|
netgroup <group_name>, e.g. |
...
netgroup u-network-management |
or
| Code Block |
|---|
ypmatch <group_name> group |
or
| Code Block |
|---|
ypgroup exam \-group iepm |
...
Group 'iepm': |
...
GID: 2087 |
...
Comment: |
...
Last modified at Aug 2 15:20:42 2006 by jonl |
...
Owners: cal |
...
Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm, |
...
jerrodw, jiri, maheshkc, rich, ytl |
To add someone to a group use (Jerrod and Les can execute this command):
| Code Block |
|---|
ypgroup adduser \-group iepm \-user pinger |
# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.
#Note that people with privileges need to change their passwords at least every 9 months.
...
Unix/AFS groups
Purpose | afs path | contact(s) | |||
|---|---|---|---|---|---|
SVN access | /afs/slac/g/scs/net/netmon/repo/svn | Cottrell |
|
|
|
|
|
| |||
|
|
|
To see the names of groups and privileges on a particular directory, issue the command
...
| Code Block |
|---|
fs la <directory>, e.g. |
...
fs la . |
or
| Code Block |
|---|
fs la /afs/slac/g/scs/net/pinger |
...
jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/ |
...
Access list for /afs/slac/g/scs/net/pinger/ is |
...
Normal rights: |
...
maint-pkg-netmon |
...
rlidwk g-scs |
...
rlidwka system:slac |
...
rl system:administrators |
...
rlidwka system:authuser rl |
...
|
To view members of a particular group listed from 'fs la', issue the command:
| Code Block |
|---|
pts mem <group_name>, e.g. |
...
jerrodw@pinger $ pts mem maint-pkg-netmon |
...
Members of maint-pkg-netmon (id: \-4786) are: |
...
<list of user_id's belonging to this group> |
...
|
To add users to a particular group (only if you have privileges of course), issue the command
...
| Code Block |
|---|
pts adduser \-group <group_name> \-user <user_id> |
Network Test hosts
Please note that we would like to see network testing, especially WAN testing, done primarily and by convention from machines set aside for that purpose
(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at http://www-iepm.slac.stanford.edu/about/nodes.html
To find out who can logon to a specified host look at the /etc/passwd file on that host, look towards the end for things like
+@u-iepm
and use the netgroup u-iepm command to see who is in the group.
To find out what hosts u-iepm can logon to use:
| Code Block |
|---|
#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm \*/passwd |
...
#bping/passwd:+@u-iepm |
...
#iepm-bw/passwd:+@u-iepm |
...
#iepm-resp/passwd:+@u-iepm |
...
#iepm-sol/passwd:+@u-iepm |
...
#monalisa/passwd:+@u-iepm |
...
#... |
Sudo
The sudoers file can be found at:
| Code Block |
|---|
/afs/slac/package/taylor/prod/base/sudoers |
The following lines are in the sudoers file:
| Code Block |
|---|
# NB: The following two aliases define collections of commands for use |
...
# by members of the IEPM group on all machines and on the network |
...
# trouble-shooting machine, pharlap, respectively. In this context, |
...
# "IEPM group" is not necessarily the same as the NIS group named |
...
# "iepm"; changes to the commands in the two aliases, or to the users |
...
# who should be authorized to use the commands, still need the usual |
...
# approvals. |
...
# Commands authorized for members of the IEPM group on all machines: |
...
Cmnd_Alias IEPM_ALL = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR |
...
# Commands authorized for members of the IEPM group on pharlap: |
...
# The addition of PIPECHAR to this list of commands is granted for |
...
# six months only and should be revisted May 28, 2002. |
...
Cmnd_Alias IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL |
The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are:
cal, cottrell, cxg.
| Code Block |
|---|
iepm group: cottrell, warrenm, cal, dougc, cxg, grosso |
...
Pathchar All sudo /afs/slac/g/scs/bin/pathchar |
...
Pchar All sudo /afs/slac/package/netperf/bin/@sys/pchar |
...
Pipechar All sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar |
...
NIKHEF ping All sudo /afs/slac/package/nikhef/@sys/ping |
...
#Snoop and tcpdump are big security exposures, so please be careful with their use. |
...
#Probably a good idea to notify security (email just before you start) if you are |
...
#going to use snoop and/or tcpdump |
...
Snoop Pharlap sudo snoop Tcpdump Pharlap sudo /afs/slac/package/netperf/bin/@sys/tcpdump |
...
u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb |
...
ssh All |
...
maint-pkg-nikhef: cxg, warrenm, dougc |
The following have /usr/sbin/ndd -set privs and sudo kill (via
cmd macro IEPM_PHARLAP) on pharlap (7/19/01):
...