HPE Community
Operating System - HP-UX
1834462 Members
2526 Online
110067 Solutions
New Discussion

Access to files.

 
SOLVED
Go to solution
Vicente Sanchez_3
Respected Contributor

‎06-19-2003 12:26 AM

‎06-19-2003 12:26 AM

Access to files.

Hello all,

This is the situation:

I'm migrating from a HP3000 to a HP9000. In HP3000 I have several programs that need a lockword to be executed. Users from all system can access this programs, but only who knows the lockword can run them.

I'm looking for some similar situation on HP-UX.

Do you know anything about this?.

Regards, Vicente.
0 Kudos
Reply
8 REPLIES 8
Jean-Louis Phelix
Honored Contributor

‎06-19-2003 12:37 AM

‎06-19-2003 12:37 AM

Re: Access to files.

Hi,

A - Perhaps look to ACLs (man 5 acl)

B - create a dedicated login for the owner of this file and deny all access for group and other. Su'ing to this user will require a password.

C - same id without password using a dedicated secondary group for allowed people only and the newgrp command

Regards.
It works for me (© Bill McNAMARA ...)
0 Kudos
Reply
Jorge Pons
Trusted Contributor

‎06-19-2003 12:55 AM

‎06-19-2003 12:55 AM

Re: Access to files.

Hi Vin

Have you considered the posibility to change the permisions? put the users who can run it in the same group...

Regards

Jorge
0 Kudos
Reply
Vicente Sanchez_3
Respected Contributor

‎06-19-2003 01:10 AM

‎06-19-2003 01:10 AM

Re: Access to files.

Hi,

The problem is that this situation is dinamic, I mean, today ten users, from different groups, can access to Prg1, tomorrow 8 users from different groups can access to Prg1, and so.

And the number of programs with this situation can be different, also.

That's why in HP3000 I stablish a lockword to be run.

A comercial solution can be accepted.

Regards, Vicente.
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎06-19-2003 01:41 AM

‎06-19-2003 01:41 AM

Re: Access to files.

Hi

How about creating a "Lockword" login and give this login and only this permission to run the prog.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Anthony Giedlinski
Occasional Advisor

‎06-20-2003 03:23 PM

‎06-20-2003 03:23 PM

Re: Access to files.

Vincente --

We have a similar problem, but changes happen more slowly. What we use is sudo. By setting up a group whose members are only the people who need to run the application, and using sudo to control access, we can lock out everyone, and manage the members of the group in a very simple fashion.

If you are not familiar with sudo, the process is like this:

install sudo.
create a group to use, such as lockword, and populate it with the people to whom you wish to grant access.

Using the visudo command (installed above), grant the members of lockword the ability to run a script that will run the application, or the application itself.

the line in the sudoers file will look something like this:

Cmnd_Alias LOCKWORD=/opt/sudo/sudo/lockword.sh

or this

Cmnd_Alias LOCKAPP=/usr/bin/lockapp

A large number of such aliases are allowed. After the aliases section, the groups or individuals and which aliases are allow are placed:

%sd-sradm ALL=(root) ALL

(this line means that members of the group sd-sradm can use sudo to gain access to run a shell as root without knowing the root password, just their own password, and also have permission to run any other aliased command above.)

%lockword ALL=(root) LOCKWORD LOCKAPP

(This line means that anyone who belongs to the group pgp, has permission to run the script defined above as Cmnd_Alias LOCKWORD, or the application /usr/bin/lockapp, and anything that the script calls, including su - lockapp, after authenticating with their own login password)

The scripts are kept in a secure (no write access, owned by root, the directory /opt/sudo is not readable by anyone, etc)

The lockapp program should be made executable only by root, or the lockapp owner.

So at this point, just by managing the members of group lockword, it is decided who can run the lockapp program.

If I understand your situation correctly, the persons who are granted access changes daily. There is one more thing that would be good to do to lock out yesterday's people: set a time when all sudo logins to lockword are terminated, which would occur after you remove those who should no longer be allowed access, and write a script to do that. The active sessions are easy to grep for with ps -ef, and could even be done periodically via cron.

One other benefit is that you don't have to keep coming up with new lockwords.

Good luck.

Tony G.

0 Kudos
Reply
Anthony Giedlinski
Occasional Advisor

‎06-20-2003 03:25 PM

‎06-20-2003 03:25 PM

Solution

Re: Access to files.

Vincente --

I corrected an error in the previous message.

We have a similar problem, but changes happen more slowly. What we use is sudo. By setting up a group whose members are only the people who need to run the application, and using sudo to control access, we can lock out everyone, and manage the members of the group in a very simple fashion.

If you are not familiar with sudo, the process is like this:

install sudo.
create a group to use, such as lockword, and populate it with the people to whom you wish to grant access.

Using the visudo command (installed above), grant the members of lockword the ability to run a script that will run the application, or the application itself.

the line in the sudoers file will look something like this:

Cmnd_Alias LOCKWORD=/opt/sudo/sudo/lockword.sh

or this

Cmnd_Alias LOCKAPP=/usr/bin/lockapp

A large number of such aliases are allowed. After the aliases section, the groups or individuals and which aliases are allow are placed:

%sd-sradm ALL=(root) ALL

(this line means that members of the group sd-sradm can use sudo to gain access to run a shell as root without knowing the root password, just their own password, and also have permission to run any other aliased command above.)

%lockword ALL=(root) LOCKWORD LOCKAPP

(This line means that anyone who belongs to the group lockword, has permission to run the script defined above as Cmnd_Alias LOCKWORD, or the application /usr/bin/lockapp, and anything that the script calls, including su - lockapp, after authenticating with their own login password)

The scripts are kept in a secure (no write access, owned by root, the directory /opt/sudo is not readable by anyone, etc)

The lockapp program should be made executable only by root, or the lockapp owner.

So at this point, just by managing the members of group lockword, it is decided who can run the lockapp program.

If I understand your situation correctly, the persons who are granted access changes daily. There is one more thing that would be good to do to lock out yesterday's people: set a time when all sudo logins to lockword are terminated, which would occur after you remove those who should no longer be allowed access, and write a script to do that. The active sessions are easy to grep for with ps -ef, and could even be done periodically via cron.

One other benefit is that you don't have to keep coming up with new lockwords.

Good luck.

Tony G.
Reply
Caesar_3
Esteemed Contributor

‎06-21-2003 07:47 AM

‎06-21-2003 07:47 AM

Re: Access to files.

Hello!

Try to devide the users to groups and only
the group that should run this program could
run it or you can start to use sudo program
where you could made rulls who can run the program.

Caesar
0 Kudos
Reply
Jorge Pons
Trusted Contributor

‎06-22-2003 11:15 PM

‎06-22-2003 11:15 PM

Re: Access to files.

Hi Vin

Another thing you can do is rename the original program, and create a file with the old name of the program, where validate a specific word as a password, and if the word is correct, called the program (new name).

Regards, Jorge
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.