Unix/NFS group iepm
File used to keep track of network group privs. It use the ypgroup Unix databases
To see who is in a group use the command*
netgroup <group_name>, e.g. 36cottrell@pinger:~>netgroup u-network-management u-network-management (-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
or
ypmatch <group_name> group ypmatch <group_name> netgroup, e.g. 35cottrell@pinger:~>ypmatch u-network-management netgroup (-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
or
ypgroup exam -group iepm Group 'iepm': GID: 2087 Comment: Last modified at Aug 2 15:20:42 2006 by jonl Owners: cal Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm, jerrodw, jiri, maheshkc, rich, ytl
To add someone to a group use (Jerrod and Les can execute this command):
ypgroup adduser -group iepm -user pinger
# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.
#Note that people with privileges need to change their passwords at least every 9 months.
To see which hosts use a netgroup
grep the files at /afs/slac.stanford.edu/g/scs/systems/system.info/<machine>/taylor.opts.expanded looking for the group, e.g.
6cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm /afs/slac/g/scs/systems/system.info/i*/taylor.opts.expanded /afs/slac/g/scs/systems/system.info/iepm-bw/taylor.opts.expanded:limit_login=u-iepm /afs/slac/g/scs/systems/system.info/iepm-resp/taylor.opts.expanded:limit_login=u-iepm
N.b. replacing i* with * will probably result in /bin/grep: Argument list too long. Also note that as of 12/31/06 the hosts whose access is controlled by u-iepm are: iepm-bw, iepm-resp, monalisa, nettest5, and pinger
Unix/AFS groups
Purpose |
afs path |
contact(s) |
---|---|---|
SVN access |
/afs/slac/g/scs/net/netmon/repo/svn |
Cottrell |
|
|
|
|
|
|
To see the names of groups and privileges on a particular directory, issue the command
fs la <directory>, e.g. fs la .
or
fs la /afs/slac/g/scs/net/pinger jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/ Access list for /afs/slac/g/scs/net/pinger/ is Normal rights: maint-pkg-netmon rlidwk g-scs rlidwka system:slac rl system:administrators rlidwka system:authuser rl
To view members of a particular group listed from 'fs la', issue the command:
pts mem <group_name>, e.g. jerrodw@pinger $ pts mem maint-pkg-netmon Members of maint-pkg-netmon (id: \-4786) are: <list of user_id's belonging to this group>
To add users to a particular group (only if you have privileges of course), issue the command
pts adduser \-group <group_name> \-user <user_id>
Network Test hosts
Please note that we would like to see network testing, especially WAN testing, done primarily and by convention from machines set aside for that purpose
(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at http://www-iepm.slac.stanford.edu/about/nodes.html
To find out who can logon to a specified host look at the /etc/passwd file on that host, look towards the end for things like
+@u-iepm
and use the netgroup u-iepm command to see who is in the group.
To find out what hosts u-iepm can logon to use:
#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm \*/passwd #bping/passwd:+@u-iepm #iepm-bw/passwd:+@u-iepm #iepm-resp/passwd:+@u-iepm #iepm-sol/passwd:+@u-iepm #monalisa/passwd:+@u-iepm #...
Sudo
The sudoers file can be found at:
/afs/slac/package/taylor/prod/base/sudoers
The following lines are in the sudoers file:
# NB: The following two aliases define collections of commands for use # by members of the IEPM group on all machines and on the network # trouble-shooting machine, pharlap, respectively. In this context, # "IEPM group" is not necessarily the same as the NIS group named # "iepm"; changes to the commands in the two aliases, or to the users # who should be authorized to use the commands, still need the usual # approvals. # Commands authorized for members of the IEPM group on all machines: Cmnd_Alias IEPM_ALL = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR # Commands authorized for members of the IEPM group on pharlap: # The addition of PIPECHAR to this list of commands is granted for # six months only and should be revisted May 28, 2002. Cmnd_Alias IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL
The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are: cal, cottrell, cxg
.
iepm group: cottrell, warrenm, cal, dougc, cxg, grosso Pathchar All sudo /afs/slac/g/scs/bin/pathchar Pchar All sudo /afs/slac/package/netperf/bin/@sys/pchar Pipechar All sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar NIKHEF ping All sudo /afs/slac/package/nikhef/@sys/ping #Snoop and tcpdump are big security exposures, so please be careful with their use. #Probably a good idea to notify security (email just before you start) if you are #going to use snoop and/or tcpdump Snoop Pharlap sudo snoop Tcpdump Pharlap sudo /afs/slac/package/netperf/bin/@sys/tcpdump u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb ssh All maint-pkg-nikhef: cxg, warrenm, dougc
The following have /usr/sbin/ndd -set privs and sudo kill (via cmd macro IEPM_PHARLAP) on pharlap (7/19/01):
cal, cottrell, cxg
Account iepm has sudo kill with no password on pharlap (12/14/01)
cottrell also has ndd -set for evagore (11/21/01)
iepm has pipechar with no password on pharlap and antonia (11/28/01)
Mailing lists
The main mailing list is iepm-group. To get added to this list contact Les Cottrell. To see who is in the group etc. go to majordomo