UNIX for Dummies Questions & Answers

Hi,

I am working for GE Capital as a Unix Programmer. We have a problem with our User Security Setup.

Problem Description:

Different businesses submit files to GE Capital for processing. Each business is given a unix user login to ftp their files to our server. Processed files are put back in an output directory.
The files are processed by an appln developed by us.

So our current set up has something like this:
business user: bus01
home directory: /home/businesses/bus01
Application Admin Id: appadmin
Appln Home: /home/app

appadmin user should have access to both appln home and business home directory, but a business user should have access to its directory alone. One business should not access other business' directories or appln home directories.

We created a group, say gbus01 for every user and added appadmin to this group. The home directory is created using the bus user id and group gbus01 assigned with all permissions to user and group. This was working good.

But, we have more than 32 businesses, so our appadmin has been added to all 32 groups (gbus01). It started behaving erratically once we added this user to another group. We realised, Solaris has a limitation that one user cannot be added to more than 32 groups.
So we are brainstorming on redesigning this set up. Any inputs would be highly appreciated.

Please let me know if you need any more details.

Thanks in advance,
Sreenivas

have you altered the default system setting for max groups? the default should be 16.

in your /etc/system file put

set ngroups_max = 64 (what ever number you need here)

you will have to reboot the machine.

what version of solaris are you running?

My solution would be to change the way you are using groups. Your business id's would be given a group of "guest" in the passwd file. But their home directories would have another group, "adm". And I would:
chown bus01:adm /home/bus01
chmod 770 /home/bus01

Now bus01 can access his home directory, but only his. And any member of the adm group can access all the home directories.

Also the solaris ftpd supports chrooted homes and I would put all of the busxx folks into one large chrooted environment.

Finally I would consider replacing the solaris ftpd with a super-secure replacement like pureftpd. That would be the ultimate in security.

Thanks to both of you for the prompt replies.


We are using Solaris 5.8.

I would certainly want to try these suggestions of yours.

One more suggestion that our Unix Admins have come up is using setfacl command to set access control to admin users on business home directories. But one glitch is performance degradation. I read that ACLs reduce performance and have to be used in only compelling situations. Can you please confirm and explain if possible.

Thanks again,
Sree

There is room in the inode of a file for a uid and gid. But no room for an acl. So any acl's you create get stored in inode extentions of some kind. And they don't fly off the disk and into core for free.

Using acl's when a single gid is enough would be crazy. It's not the disk overhead, it's the confusion overhead. Acl's will be invisible to your ftp users. That could result in behavior that they don't understand. Look at this post. Would you have set that mask?

Here is a challenge for your sysadmins: Create a sample directory structure using acl's for 3 users. Back up the sample directory structure using any technique. Destroy the sample directory structure. Now restore it. Sounds like 15 minute job, doesn't it?

hey... am sorry for the delay... was on vacation infact.

Thanks for the clarification. Its still under review, will surely let you know the outcome.

Thanks again for the prompt replies.
-Sree