You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Unix/NFS group iepm 

#File used to keep track of network group privs.

  1. To see who is in a group use the command
  2. netgroup <group_name>, e.g.
  3. netgroup u-network-management
  4. or
  5. ypmatch <group_name> group
  6. or
  7. ypgroup exam -group iepm
  8. Group 'iepm':
  9. GID: 2087
  10. Comment:
  11. Last modified at Aug 2 15:20:42 2006 by jonl
  12. Owners: cal
  13. Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm,
  14. jerrodw, jiri, maheshkc, rich, ytl

#To add someone to a group use (Jerrod and Les can execute this command):

  1. ypgroup adduser -group iepm -user pinger
  1. Please keep unix-admin & security notified when changes are needed, e.g.
  2. people changing function or moving etc.

#Note that people with privileges need to change their passwords
#at least every 9 months.

Network Test hosts

#Please note that we would like to see network testing, especially WAN testing,
#done primarily and by convention from machines set aside for that purpose
#(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at
#http://www-iepm.slac.stanford.edu/about/nodes.html

#To find out who can logon to a specified host look at the /etc/passwd file
#on that host, look towards the end for things like
#+@u-iepm
#and use the netgroup u-iepm command to see who is in the group.
#To find out what hosts u-iepm can logon to use:
#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm */passwd
#bping/passwd:+@u-iepm
#iepm-bw/passwd:+@u-iepm
#iepm-resp/passwd:+@u-iepm
#iepm-sol/passwd:+@u-iepm
#monalisa/passwd:+@u-iepm
#...

Sudo
 The sudoers file can be found at:
/afs/slac/package/taylor/prod/base/sudoers
The following lines are in the sudoers file:

  1. NB: The following two aliases define collections of commands for use
  2. by members of the IEPM group on all machines and on the network # trouble-shooting machine, pharlap, respectively. In this context, # "IEPM group" is not necessarily the same as the NIS group named # "iepm"; changes to the commands in the two aliases, or to the users # who should be authorized to use the commands, still need the usual # approvals.
  1. Commands authorized for members of the IEPM group on all machines:
    Cmnd_Alias IEPM_ALL = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR
  1. Commands authorized for members of the IEPM group on pharlap: # The addition of PIPECHAR to this list of commands is granted for # six months only and should be revisted May 28, 2002. Cmnd_Alias
    IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL

The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are:
cal, cottrell, cxg.

iepm group: cottrell, warrenm, cal, dougc, cxg, grosso
Pathchar All sudo /afs/slac/g/scs/bin/pathchar
Pchar All sudo /afs/slac/package/netperf/bin/@sys/pchar
Pipechar All sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar
NIKHEF ping All sudo /afs/slac/package/nikhef/@sys/ping
#Snoop and tcpdump are big security exposures, so please be careful with their use.
#Probably a good idea to notify security (email just before you start) if you are
#going to use snoop and/or tcpdump
Snoop Pharlap sudo snoop
Tcpdump Pharlap sudo /afs/slac/package/netperf/bin/@sys/tcpdump

u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb
ssh All

maint-pkg-nikhef: cxg, warrenm, dougc

The following have /usr/sbin/ndd -set privs and sudo kill (via
cmd macro IEPM_PHARLAP) on pharlap (7/19/01):

cal, cottrell, cxg

Account iepm has sudo kill with no password on pharlap (12/14/01)

cottrell also has ndd -set for evagore (11/21/01)

iepm has pipechar with no password on pharlap and antonia (11/28/01)

  • No labels