Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Setup of user groups and permissions
Top Forums UNIX for Dummies Questions & Answers Setup of user groups and permissions Post 302175458 by sad_angle on Friday 14th of March 2008 05:04:57 AM
Old 03-14-2008
As much as I agree with denn, that sudo tool can enable you to get the permissions that you want to take place, And as much as I agree with flatopokey that webmin is a very useful tool, however, I disagree with their approach to work the project.

Their approach is to deal with one user at a time, which builds permissions around every user on his/her own. Thus causing same-level employees to have more permissions than others. That can cause long term administrative problems on the long run.

My approach is to build your security policy around the "job description". Then assign users and groups to these job descriptions. That means you need more than just user/group/others, backed up by timed cron jobs.

SE Linux gives you the ability to set more than 4000 levels of "job descriptions", on the core kernel level. The moment you change the "job description", by default all users, groups, applications permissions, and rights, in that category, will follow.

My quick assessment is that you need a 4 steps project:

1- Get the job descriptions for everyone that will access your system, with the assistance of the two arms : human resources, and financial management, know what files or directories these "job descriptions" need to access, or have access denied.

2- Decide if using Webmin and Usermin will suffice for the project, as you'll work on the 'that guy' level. Or that you have too many users that you need to work on the 'job description' level.


3- For less than 30 job descriptions, I recommend aggressive usage of sodu, then webmin and user min. For more than 30 job descriptions in one company, or more than 200+ employees (I'm cynical in these numbers) I recommend to install SE Linux batch. Your 2.6 kernel has support for it.

4- Look the screen shots at screens - SETools Policy Analysis Suite - Trac. You can use the SLIDE application to manage it. SELinux Policy IDE (SLIDE) - Trac . Go further to use project CLIP as a presentation to your boss, on how you are planning on it. Choose which model you wish to apply
http://www.nsa.gov/selinux/papers/policy2/x84.html


Finally, I think this is a fun and great project, so enjoy every minute of it. You'll be amazed how much you'll know about UNIX by the end of it.

Good luck Mike
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

dynamic user groups

Is it possible to dynamically allocate a new user group to an existing session on Solaris 5.8 I'd like to be able to allow certain users to access a set of scripts for the life of session (preferably there own session not a specific login created for the purpose) by dynamically giving the session... (0 Replies)
Discussion started by: hammer
0 Replies

2. Shell Programming and Scripting

Extract directories, users, groups & permissions to excel

Hi As the title descibes I wish to create an excel spreadsheet which lists all directories in full allong with the users, groups and rights. I have not used Perl scripts before so I'm a little lost on this on. Cheers (0 Replies)
Discussion started by: MacLon
0 Replies

3. UNIX for Dummies Questions & Answers

Adding user to groups

How do I add a user to a group? And how do I determine the list of groups to add a user? Solaris 10 newbie (1 Reply)
Discussion started by: peteythapitbull
1 Replies

4. UNIX for Dummies Questions & Answers

User groups

Hi I have a user zak and 4 groups:- oracle stats data archive I want user zak to be part of the oracle and stats group but not be able to view,list anything in data and archive. Also anyone in the data and archive group should not be able to view,list anything in oracle and stats....... (3 Replies)
Discussion started by: Zak
3 Replies

5. Solaris

Setting user groups

Hi......... I'm trying to set a group of users to login to do a required super-user tasks without knowing the super-user passwd. For example...a user popodude logs in as self with passwd..system accepts the password & then automatically asks for the super-user account passwd. My goal is... (1 Reply)
Discussion started by: Remi
1 Replies

6. AIX

user & groups

1 - what is the maximum no: of groups a user can be a part of ? 2 - what is maximum no: of users a group can contain ? (6 Replies)
Discussion started by: senmak
6 Replies

7. UNIX for Dummies Questions & Answers

Multiple groups in directory / file permissions

Hi I need to permit one group to have r-x permissions on all files in a directory and another group to have just read access, im confused how to do this as if i set the 'Other' permission class as read access then all users will have access to them. So basically i have a directory which the... (2 Replies)
Discussion started by: m3y
2 Replies

8. AIX

Nested user groups

Is there a command to nest a group in another group in AIX. (2 Replies)
Discussion started by: daveisme
2 Replies

9. UNIX for Dummies Questions & Answers

How to make user groups and edit permissions?

OK guys and gals. I've been working on a debian system for a little bit, in hopes of making it into a system we can use for manifests and other things. I am very new to unix, particularly debian. I would like to make 2 or 3 different groups. 1 would be for me, and other people... (1 Reply)
Discussion started by: samee71
1 Replies

10. UNIX for Beginners Questions & Answers

ACL permissions setup

All, I am building a glusterfs environment for file storage and need to set up ACL's as there are multiple users that need different types of access. I have ingested ~20TB of needed data to /toplevel dir and: chown -R root:root /toplevel ; chmod -R 775 /toplevel What I need from ACL as... (0 Replies)
Discussion started by: hburnswell
0 Replies

LEARN ABOUT CENTOS

cgconfigparser

CGCONFIGPARSER(8)						 libcgroup Manual						 CGCONFIGPARSER(8)

NAME

       cgconfigparser - setup control group file system

SYNOPSIS

       cgconfigparser [-h] [-l <filename>] [-L <directory>] [...]

OPTIONS

       -h, --help
	      Displays help.

       -l, --load=FILE
	      Parses  the  control  groups  configuration  file Sets up the control group file system defined by the configuration file and mounts
	      mount points defined by the configuration file.  The format of the file is described in cgconfig.conf. This option can be used  mul-
	      tiple times and can be mixed with -L option.

       -L, --load-directory=DIR
	      Finds  all  files in given directory and parses them in alphabetical order like they were specified by -l option. This option can be
	      used multiple times and can be mixed with -l option.

       -a <agid>:<auid>
	      defines the default owner of the rest of the defined control group's files. These users are allowed to set subsystem parameters  and
	      create subgroups.  The default value is the same as has the parent cgroup.

       -d, --dperm=mode
	      sets the default permissions of a control groups directory.  The permissions needs to be specified as octal numbers e.g.	-d 775.

       -f, --fperm=mode
	      sets  the default permissions of the control group files.  The permissions needs to be specified as octal numbers e.g.  -f 775.  The
	      value is not used as given because the current owner's permissions are used as an umask (so 777 will set group  and  others  permis-
	      sions to the owners permissions).

       -s, --tperm=mode
	      sets the default permissions of the control group tasks files.  The permissions needs to be specified as octal numbers e.g.  -f 775.
	      The value is not used as given because the current owner's permissions are used as an umask (so 777 will set group and  others  per-
	      missions to the owners permissions).

       -t <tuid>:<tgid>
	      defines  the default owner of tasks file of the defined control group. I.e. this user and members of this group have write access to
	      the file.

ENVIRONMENT VARIABLES

       CGROUP_LOGLEVEL
	      controls verbosity of the tool. Allowed values are DEBUG, INFO, WARNING or ERROR.

SEE ALSO

       cgconfig.conf (5)

Linux								    2009-03-16							 CGCONFIGPARSER(8)
All times are GMT -4. The time now is 10:48 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy