HPE Community
Operating System - HP-UX
1833712 Members
1998 Online
110063 Solutions
New Discussion

Re: personalized accounts on multiple packages

 
SOLVED
Go to solution
michas
Occasional Contributor

‎05-16-2011 03:00 PM

‎05-16-2011 03:00 PM

personalized accounts on multiple packages

Let's take a department with 10 employees working with 10 applications each running in its own package. Each application runs under the uid of a user owning all the files.

Additionally, each employee shall have an user name and password (e.g. supplied by ldap), which he can use to ssh to each of the packages. Is this possible?

At work packages live in /pkg/$packagename/ and home directories live inside the package.
But that means the home dir path contains both the package name and the user name. Which, for 10 employees and 10 packages results in 100 different system users and 10 different accounts per user. - That cannot be the way it should work.

What is the way this is usually solved?
0 Kudos
Reply
4 REPLIES 4
Duncan Edmonstone
HPE Pro

‎05-16-2011 10:10 PM

‎05-16-2011 10:10 PM

Re: personalized accounts on multiple packages

For the UID issue sure you should be using _groups_?

If I define a group that a user is a member of for each package, then I simply have 1 user ID which has a number of secondary groups associated with it for each package that I want the user to have access to - I then just control access to the package by group permissions rather than by user permissions.

man 4 group

for details... you may need to link /etc/logingroup to /etc/group to use secondary groups...


For the home directory issue - why do the users need to have a home directory associated with each package? do they create files/data or something that needs to be kept seperate? I suppose the simplest thing would be to still have the directory structure, but not the seperate users and simply have some simple menu at login time which moves does a "cd" into the appropriate directory.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
michas
Occasional Contributor

‎05-17-2011 01:58 AM

‎05-17-2011 01:58 AM

Re: personalized accounts on multiple packages

Well, controlling access using the correct group permission was already planned.

The only issue left is, whether it is possible to have only a single account for each employee with a valid home directory on each package.

I would really like to have some kind of valid home directory on all packages to be able to store some per user configuration like .profile, .ssh/authorized_keys, etc.

At the moment there are no personalized users and every one just logs in as the almighty application user. Which is easy, but clearly no good idea.

Having a separate personalized account as anywhere else would be great, but seems to fail because of the issue with the home directory.

The only other compromise would be to have a second read only user on each package, where all the people usually log in. This would be much less dangerous as the first case, but will still have all the other disadvantages.

I was hoping the scenario of different employees working with different applications would be quite common, and was wondering how it is done in other companies.
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎05-17-2011 04:07 AM

‎05-17-2011 04:07 AM

Solution

Re: personalized accounts on multiple packages

If this is just config files like .profile and ssh config files, I can't think why you would want that "per package" - would it not just make sense to have a home directory on an NFS share which is a seperate package in the cluster - the use the auto-mounter to ensure the home dir is mounted when the use logs in to either system in the cluster?

Most modern applications don't have users physically logging in to UNIX systems anyway (there's usually a client-side app, or an application server in-between), so I suspect this situation is perhaps less common than you think.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
michas
Occasional Contributor

‎05-17-2011 07:55 AM

‎05-17-2011 07:55 AM

Re: personalized accounts on multiple packages

Yes, an NFS share would probably be the best way. Unfortunately, at my company all the IT is outsourced and they don't like NFS for some reason. :(

Guess real personalized accounts are therefore just not realizable, as I am not in charge of making such big changes. - So I will probably go with the single additional read only user on each package and some kind of shell magic allow different config for the employees even though they use the same user.

Thanks a lot for your answers.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.