Unix/NFS group iepm
File used to keep track of network group privs. It use the ypgroup Unix databases
To see who is in a group use the command*
netgroup <group_name>, e.g. 36cottrell@pinger:~>netgroup u-network-management u-network-management (-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
or
ypmatch <group_name> group ypmatch <group_name> netgroup, e.g. 35cottrell@pinger:~>ypmatch u-network-management netgroup (-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
or
ypgroup exam -group iepm Group 'iepm': GID: 2087 Comment: Last modified at Aug 2 15:20:42 2006 by jonl Owners: cal Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm, jerrodw, jiri, maheshkc, rich, ytl
To add someone to a group use (Les can execute this command):
ypgroup adduser -group iepm -user pinger
# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.
#Note that people with privileges need to change their passwords at least every 9 months.
To see which hosts use a netgroup
grep the files at /afs/slac.stanford.edu/g/scs/systems/system.info/<machine>/taylor.opts.expanded looking for the group, e.g.
6cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm /afs/slac/g/scs/systems/system.info/i*/taylor.opts.expanded /afs/slac/g/scs/systems/system.info/iepm-bw/taylor.opts.expanded:limit_login=u-iepm /afs/slac/g/scs/systems/system.info/iepm-resp/taylor.opts.expanded:limit_login=u-iepm
N.b. replacing i* with * will probably result in /bin/grep: Argument list too long. Also note that as of 12/31/06 the hosts whose access is controlled by u-iepm are: iepm-bw, iepm-resp, monalisa, nettest5, and pinger
NFS file access
NFS file systems such as /nfs/slac/g/net/pinger are exported to netgroup from netfs02, so it is available on all machines in that group. To see the full list you can type:
119cottrell@pinger:~>netgroup slac > ! /tmp/junk
and edit the file (/tmp/junk). The amd mountpoints are transient....they timeout when not in use. So sometimes it will work to cd to /nfs/slac/g and you will see an entry for net/pinger, but if it has timed out you may not, even on pinger (unless something runs there that keeps it constantly available). Once the mountpoint has timed out you will have to cd to the full amd mount path which in this case is /nfs/slac/g/net/pinger to get amd to remount the space.
Unix/AFS groups
Purpose |
afs path |
contact(s) |
|---|---|---|
SVN access |
/afs/slac/g/scs/net/netmon/repo/svn |
Cottrell |
|
|
|
|
|
|
To see the names of groups and privileges on a particular directory, issue the command
fs la <directory>, e.g. fs la .
or
fs la /afs/slac/g/scs/net/pinger jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/ Access list for /afs/slac/g/scs/net/pinger/ is Normal rights: maint-pkg-netmon rlidwk g-scs rlidwka system:slac rl system:administrators rlidwka system:authuser rl
To view members of a particular group listed from 'fs la', issue the command:
pts mem <group_name>, e.g. jerrodw@pinger $ pts mem maint-pkg-netmon Members of maint-pkg-netmon (id: \-4786) are: <list of user_id's belonging to this group>
To add users to a particular group (only if you have privileges of course), issue the command
pts adduser \-group <group_name> \-user <user_id>
Network Test hosts
Please note that we would like to see network testing, especially WAN testing, done primarily and by convention from machines set aside for that purpose
(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at http://www-iepm.slac.stanford.edu/about/nodes.html
To find out who can logon to a specified host look at the /etc/passwd file on that host, look towards the end for things like
+@u-iepm
and use the netgroup u-iepm command to see who is in the group.
To find out what hosts u-iepm can logon to use:
#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm \*/passwd #bping/passwd:+@u-iepm #iepm-bw/passwd:+@u-iepm #iepm-resp/passwd:+@u-iepm #iepm-sol/passwd:+@u-iepm #monalisa/passwd:+@u-iepm #...
Sudo
The sudoers file can be found at:
/afs/slac/package/taylor/prod/base/sudoers
The following lines are in the sudoers file:
# NB: The following two aliases define collections of commands for use # by members of the IEPM group on all machines and on the network # trouble-shooting machine, pharlap, respectively. In this context, # "IEPM group" is not necessarily the same as the NIS group named # "iepm"; changes to the commands in the two aliases, or to the users # who should be authorized to use the commands, still need the usual # approvals. # Commands authorized for members of the IEPM group on all machines: Cmnd_Alias IEPM_ALL = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR # Commands authorized for members of the IEPM group on pharlap: # The addition of PIPECHAR to this list of commands is granted for # six months only and should be revisted May 28, 2002. Cmnd_Alias IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL
The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are: cal, cottrell, cxg.
iepm group: cottrell, warrenm, cal, dougc, cxg, grosso Pathchar All sudo /afs/slac/g/scs/bin/pathchar Pchar All sudo /afs/slac/package/netperf/bin/@sys/pchar Pipechar All sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar NIKHEF ping All sudo /afs/slac/package/nikhef/@sys/ping #Snoop and tcpdump are big security exposures, so please be careful with their use. #Probably a good idea to notify security (email just before you start) if you are #going to use snoop and/or tcpdump Snoop Pharlap sudo snoop Tcpdump Pharlap sudo /afs/slac/package/netperf/bin/@sys/tcpdump u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb ssh All maint-pkg-nikhef: cxg, warrenm, dougc
The following have /usr/sbin/ndd -set privs and sudo kill (via cmd macro IEPM_PHARLAP) on pharlap (7/19/01):
cal, cottrell, cxg
Account iepm has sudo kill with no password on pharlap (12/14/01)
cottrell also has ndd -set for evagore (11/21/01)
iepm has pipechar with no password on pharlap and antonia (11/28/01)
Mailing lists
The main mailing list is iepm-group. To get added to this list contact Les Cottrell. To see who is in the group etc. go to majordomo