Hi folks, thanks for reading this. I have been asked to manage our company's SCO OpenServer 5 system since the old administrator left. I have a very basic knowledge of Unix, but only the basic commands - ls, ps, chmod, etc.

This server holds thousands of programs (converted Basic programs, dating back to the '70s) and files for two entities - our city hall and our public utilities. Up to this point there have only been two login ID's - one for city functions, the other for utility functions. Whoever logged in had run of the house for that area - payroll, accounts receivable, billing, etc. Unless permissions were purposely set low for a program or file, employees from the two entities could not access or modify the other entity's stuff. If a person is working on the city side and needs to do something on the utility side, they have to log out and log back in with the utility id.

We have a new finance director who wants to implement tighter security - and I'll admit it's probably time we did. I have outlined how the employees should be broken down into user groups: cityhigh (high restriction), citymed (medium restriction), and citylow (low restriction); and the same on the utility side (utilhigh, utilmed, utillow). Low restrictions for the managers, high restrictions for the users, and medium for - well, I'm not sure yet. Of course, I also need full access available to myself and the director so he can cross the boundaries of city and utilities effortlessly. There are also employees that work with both city and utility programs. I have already given each employee a unique login and assigned them to one of these groups. This is all fairly easy with the gui interface in SCO.

So how should I proceed now? For instance, I need the folks in the cityhigh group only to have access to one or two modules (say, data entry for assessments and season park passes), while the folks in the citylow group need access to those AND payroll AND utility accounts payable. Same with the utility side.

Do I need to adjust the permissions for every file to allow only this group and that group? Or is there an easier way to kind of "mass" update the whole system? Do I need to set different permissions values to each group?

I know this isn't going to be a quickly finished project, so I'm taking it step by step. I had suggested that our city contact a unix consultant to do this for us, but I was told it isn't in the budget.

Thank you for reading all the way to the end!

Mike

load the sudo utility; you can configure each person and groups as grandular as you wish, and its free.

Sudo Main Page

SELinux Frequently Asked Questions (FAQ)

Good luck

Have never installed on SCO but it should not be an issue..If your new to Unix try webmin (web based administration ) Webmin. I think you will like the results.

As much as I agree with denn, that sudo tool can enable you to get the permissions that you want to take place, And as much as I agree with flatopokey that webmin is a very useful tool, however, I disagree with their approach to work the project.

Their approach is to deal with one user at a time, which builds permissions around every user on his/her own. Thus causing same-level employees to have more permissions than others. That can cause long term administrative problems on the long run.

My approach is to build your security policy around the "job description". Then assign users and groups to these job descriptions. That means you need more than just user/group/others, backed up by timed cron jobs.

SE Linux gives you the ability to set more than 4000 levels of "job descriptions", on the core kernel level. The moment you change the "job description", by default all users, groups, applications permissions, and rights, in that category, will follow.

My quick assessment is that you need a 4 steps project:

1- Get the job descriptions for everyone that will access your system, with the assistance of the two arms : human resources, and financial management, know what files or directories these "job descriptions" need to access, or have access denied.

2- Decide if using Webmin and Usermin will suffice for the project, as you'll work on the 'that guy' level. Or that you have too many users that you need to work on the 'job description' level.


3- For less than 30 job descriptions, I recommend aggressive usage of sodu, then webmin and user min. For more than 30 job descriptions in one company, or more than 200+ employees (I'm cynical in these numbers) I recommend to install SE Linux batch. Your 2.6 kernel has support for it.

4- Look the screen shots at screens - SETools Policy Analysis Suite - Trac. You can use the SLIDE application to manage it. SELinux Policy IDE (SLIDE) - Trac . Go further to use project CLIP as a presentation to your boss, on how you are planning on it. Choose which model you wish to apply
http://www.nsa.gov/selinux/papers/policy2/x84.html


Finally, I think this is a fun and great project, so enjoy every minute of it. You'll be amazed how much you'll know about UNIX by the end of it.

Good luck Mike