Henry Katz writes:
> I sought to use tcp wrapper to qualify user logins (with its rfc 931 checking
> ability) in an attempt to prohibit certain users from logging in to our
> NIS master and yet permitting them access to other NIS clients. Apparently
> rfc 931 is not so popular and most queries return "unknown" for user
> authentication thereby foiling this effort.
>
> Is there a simpler way to implement this restriction. We are running 4.1.3
> on 10's, 690MPs. Is this a simple netgroup exercise or is there an elegant
> solution?
Well, somebody will probably flame me for this, but using netgroups *is* the
elegant solution.
Here we basically have four classes of users; sysadmins, office, researchers,
and ordinary users (typically undergraduates taking classes using the undergrad
computing lab). Sysadmins run the machines, and need access to everything.
The office netgroup is restricted to only those staff who need access in the
department office, and faculty with administrative appointments. The
researchers are the rather large class of folks who typically have machines in
their offices. The last group is everybody else on the system.
We use netgroups in /etc/passwd to control access to various machines. We
specifically deny access to fileserver/gateway machines using an /etc/passwd
like this:
root:nJAZ7Q8vGcgQI:0:1:Systems Staff:/:/bin/csh
nobody:*:65534:65534:Root's evil twin Skippy:/:
daemon:*:1:1:Steppinfetchit:/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
uucp:*:4:8::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/bin/csh
ingres:*:7:7::/usr/ingres:/bin/csh
audit:*:9:9::/etc/security/audit:/bin/csh
sync:*:1:1::/:/bin/sync
+ @
staff::0:0:::
+::65534:65534:::/usr/new/misc/message
"staff" is the sysadmin netgroup. Anybody else who tries to log in there gets
the shell /usr/new/misc/message, which is a binary with customized messages
based on the username, etc., etc. It's beyond the scope of this discussion,
but if somebody wants me to elaborate to the list, I will.
An office machine's /etc/passwd looks like this:
root:nJAZ7Q8vGcgQI:0:1:Systems Staff:/:/bin/csh
nobody:*:65534:65534:Root's evil twin Skippy:/:
daemon:*:1:1:Steppinfetchit:/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
uucp:*:4:8::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/bin/csh
ingres:*:7:7::/usr/ingres:/bin/csh
audit:*:9:9::/etc/security/audit:/bin/csh
sync:*:1:1::/:/bin/sync
+ @
staff::0:0:::
+ @
office::0:0:::
+::65534:65534:::/usr/new/misc/message
And a research machine looks like this:
root:nJAZ7Q8vGcgQI:0:1:Systems Staff:/:/bin/csh
nobody:*:65534:65534:Root's evil twin Skippy:/:
daemon:*:1:1:Steppinfetchit:/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
uucp:*:4:8::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/bin/csh
ingres:*:7:7::/usr/ingres:/bin/csh
audit:*:9:9::/etc/security/audit:/bin/csh
sync:*:1:1::/:/bin/sync
+ @
staff::0:0:::
+ @
office::0:0:::
+ @
visitor::0:0:::
+ @
faculty::0:0:::
+ @
resnetusers::0:0:::
+::65534:65534:::/usr/new/misc/message
The "everybody else" machine has an /etc/passwd like this:
root:nJAZ7Q8vGcgQI:0:1:Systems Staff:/:/bin/csh
nobody:*:65534:65534:Root's evil twin Skippy:/:
daemon:*:1:1:Steppinfetchit:/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
uucp:*:4:8::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/bin/csh
ingres:*:7:7::/usr/ingres:/bin/csh
audit:*:9:9::/etc/security/audit:/bin/csh
sync:*:1:1::/:/bin/sync
+ @
staff::0:0:::
+ @
office::0:0:::
+ @
visitor::0:0:::
+ @
faculty::0:0:::
+ @
resnetusers::0:0:::
+::65534:65534:::
I should point out that the NIS master server also happens to be one of the
fileserver/gateway machines, and it is thus also a NIS client. This is
accomplished by placing the global passwd file somewhere *other* than
/etc/passwd, e.g., /etc/passwd.nis. The benefits of this scheme is that
accounts are created globally, and increasing access for various projects is a
matter of updating /etc/netgroup on the NIS master and pushing out the changes.
The downside is that it doesn't scale well. Since we include hosts as well as
users in our /etc/netgroup (we have about 100 workstations and about 600
users), /etc/netgroup can get pretty unwieldy. We recently implemented a set
of templates for creating the file, based on base group membership, etc., and
setting up a mechanism for exceptions. I won't include the entire file, but
here are some selected lines (of the expanded file):
staff1 (-,jim,) (-,dna,) (-,ward,) (-,morse,) (-,keating,) (-,chong,)
staff2 (-,wilcox,) (-,freeman,) (-,shane,) (-,mcellroy,) (-,fee,)
staff staff1 staff2
office1 (-,bonnie,) (-,wyland,) (-,snare,) (-,manning,) (-,halpenny,) (-,raymond,)
office2 (-,stover,) (-,manfull,) (-,merritt,) (-,spindler,) (-,beaton,) (-,bona,)
office3 (-,anderson,) (-,office,) (-,conn,) (-,mccammon,) (-,welch,) (-,parsons,)
office4 (-,ota,) (-,shriver,) (-,bab,) (-,woomer,)
office office1 office2 office3 office4
visitor1 (-,lewis,) (-,marcia,) (-,toland,) (-,li,) (-,hassel_b,) (-,pillet,)
visitor2 (-,berlyand,) (-,rosaz,) (-,albert,) (-,mckinney,) (-,shubin,)
visitor3 (-,feres,) (-,patern_g,) (-,agk,) (-,seeds,) (-,colin,) (-,saut,)
visitor4 (-,hhf,) (-,bosher_m,) (-,chi,) (-,pek,) (-,sataev,) (-,kamo,)
visitor5 (-,mlm,) (-,pollic_m,) (-,donato,) (-,das,) (-,hu,)
visitor6 (-,leu,) (-,eckmann,) (-,spence,) (-,drensky,) (-,zhang_b,)
visitor7 (-,robinson,) (-,feldman,) (-,sole,) (-,bianch_e,) (-,maddocks,)
visitor visitor1 visitor2 visitor3 visitor4 visitor5 visitor6 visitor7
gradoffice1 (-,lina,) (-,luo,) (-,pan,) (-,paolo,) (-,qin,) (-,shub,) (-,plu,)
gradoffice2 (-,hassan,) (-,bouwsma,) (-,jimbo,) (-,jirari,) (-,jan,) (-,liyi,)
gradoffice3 (-,sizwe,) (-,torre,) (-,warren,) (-,wja,) (-,wang,)
gradoffice4 (-,amin,) (-,witzany,) (-,jun,) (-,chang,) (-,cchen,)
(-,kjc,) (-,kalin,)
gradoffice5 (-,pho3,) (-,liny,) (-,aem,) (-,amuk,) (-,mukher_b,) (-,boat,) (-,yye,)
gradoffice6 (-,jing,) (-,marcone,) (-,nitica,) (-,torok,) (-,zapletal,)
gradoffice7 (-,chen_h,) (-,adrian,) (-,lee,) (-, suciu,) (-, perkins,)
gradoffice01 gradoffice1 gradoffice2 gradoffice3 gradoffice4 gradoffice5
gradoffice02 gradoffice6 gradoffice7
gradoffice gradoffice01 gradoffice02
cesfac (-,nouri,) (-,ermish,)
resnetusers fullacc gradoffice cesfac
decusers1 (-,wgp,) (-,fenner,) (-,dmh,) (-,kenh,) (-,haney,) (-,aikens,) (-,hsu,)
decusers2 (-,tavener,) (-,qin,) (-,jing,) (-,sibley,) (-,simpson,) (-,lxb,)
decusers3 (-,xu,) (-,shen_j,) (-,keswa,) (-,amuk,) (-,wayne,) (-,lu_j,) (-,chen_w,)
decusers4 (-,maddocks,)
decusers staff decusers1 decusers2 decusers3 decusers4
alphausers1 (-,dna,) (-,xu,) (-,shen_j,) (-,wgp,) (-,tavener,)
(-,chen_m,) (-,bona,)
alphausers2 (-,andrews,) (-,wayne,) (-,jing,) (-,lu_j,) (-,qin,) (-,amuk,)
alphausers3 (-,sibley,) (-,lopez,) (-,tang,) (-,wang,) (-,mckinney,)
alphausers staff alphausers1 alphausers2 alphausers3
Note that this system works well in a multi-vendor environment: the "decusers"
and "alphausers" netgroups at the end of the file are for special-purpose
machines from Digital associated with a specific research project.
I should also note that an earlier version of NIS had a problem if the netgroup
lines were too long, which forced us to nest the references. We decided to
improve the readability even further by limiting each line to eighty characters.
This is in a state of flux, since we're switching over to the templates and a
Makefile (so it's uglier than I remember). But it's worked pretty well for us.
No doubt somebody will point out some hole which I've missed (other than the
well-known weaknesses in NIS).
Jim
References:
|
|
