UNIX for Dummies Questions & Answers

I am new to UNIX administration. I have 10 years of Windows admin experience. I need to know how to give java developers the access they need to install and maintain the applications they are writing. In the Windows world I would make them a local admin on a test server but give them limited access to the production server. How do I go about doing something like that in UNIX?

well mate, it depends on what java there using, oracle application server, BEA, IBM webshpehre. Here is the steps to do

1)never give them admin or root access
2)create a /app file system with enough space so they can use it..
3)add them individually on to the machines with there username and set there password

4.)google sudo, read up on it
5.)install sudo
6.)configure sudo so that the java devlopers only have access to the user that will be running java,

i.e. oracle
or weblogic

7.)explain to them how to login to oracle via sudo(its in the documentation)

let me know if this makes sense

Some of it does make sense and it does help. I asked about the java they are using. they are using Sun One web server - actually building a web app for it. They want to deploy the application to the web server. I have created an account for them to use already. It is a member of the root group. That might be more than they need but this is the test server. I want to be more restrictive on production. Sudo might be the answer but I will need to read up on it a good bit. Should the developers use the same account that the web server runs under?

I would strongly suggest taking the sunone account out of the root group. Not only is it dangerous from a security point of view, one of the devs, could really muck things up.

developers should login as themselves, then "sudo" to the sun one account.

The sooner you start using security best practices the less pain it will be to convince developers and management why you should go this route. Enforce now and it will be easier on you. here is an example of the sudo configuration file, create a group for admins called envmqmt or whatever you like, create a group called dev and place all devs usernames in that group, then configure sudo as below(sudosh is another program that can track all user commands, it is used in conjunction with sudo)



# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# sudoers file TE 19JUL
# edit: TE 19JUL07
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias STAFF=%envmgt
User_Alias DEV=%dev

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL
STAFF ALL = NOPASSWD: /usr/bin/su - , /usr/local/bin/sudosh
DEV ALL = NOPASSWD: /usr/bin/su - sunone, /usr/local/bin/sudosh

You said I should "sudo" to the sun one account. How do I know what account that is? I know of these accounts related to the sun one web server 1) webservd - is the account that the sun one web service runs under 2) I have another account that allows me to log onto the web server admin page.