HPE Community
Operating System - HP-UX
1819791 Members
3436 Online
109607 Solutions
New Discussion юеВ

Unix / Linux special groups

 
SOLVED
Go to solution
Raynald Boucher
Super Advisor

тАО06-03-2011 06:08 AM

тАО06-03-2011 06:08 AM

Unix / Linux special groups

Hello all,
We are migrating systems and I'm in a bit of cleanup / documentation process.

Where can I find documentation for/on special user groups founf on UNIX systems?
I'm thinking of the groups "wheel", "ctools", "ntools" and others.

We have some of these groups defined on our systems. I now they are needed for some admin tasks but cannot see any files belonging to them and cannot find documentation specifying the privileges their members are entitled to.

Thanks

RayB
0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

тАО06-03-2011 10:16 AM

тАО06-03-2011 10:16 AM

Re: Unix / Linux special groups

I've never seen these groups. They must be special for your site or an application you use.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО06-03-2011 12:15 PM

тАО06-03-2011 12:15 PM

Solution

Re: Unix / Linux special groups

In some Unix-style operating systems, "wheel" is the traditional name for the "users who are allowed to use su to become root" user group. This restriction is typically enforced by the su command itself.

Even with the "wheel" group functionality of (some versions of) su, this requires multiple users to know the root password. Changing a password that must be known by more than one person requires coordination and passing secrets around, making it harder to replace a password that might be fallen to wrong hands.

So, most current sources recommend using sudo instead of su to allow the administrators use the root privileges.

If you're using sudo, it can be used to give out other privileges too: the "ctools", "ntools" and other groups might have certain sudo privileges assigned to them. Find the "sudoers" file on your system and read it to see what kind of privilege definitions are made; the file is normally /etc/sudoers on most Linuxes, and /opt/iexpress/sudo/etc/sudoers on HP-UX (if the HP-provided version of sudo from the HP-UX Internet Express package is used).

If you need to edit the sudoers file, use the "visudo" command; like "vipw" for /etc/passwd file, it makes a temporary copy of the respective file for editing. Visudo checks the edited file for syntax errors before it replaces the real file. If errors are detected, it gives you a chance to fix them or to abandon your changes.

MK
MK
Reply
Raynald Boucher
Super Advisor

тАО06-06-2011 06:18 AM

тАО06-06-2011 06:18 AM

Re: Unix / Linux special groups

Thanks Matti,
Your answer does not solve my problem but points me in the right direction.

On our HP-UX systems, there is no /opt/iexpress/.../sudoers file but some commands and logs have the [cn]tools group assigned. I'm told ntools was for network and ctools was for configuration and the groups were created to allow certain people to view logs and perform certain operations without having the full system privileges.

The same setup appears to have been implemented on more recent Linux systems because the groups are populated, but do not appear in the /etc/sudoers files.

Thanks for a valuable explanation.

RayB
0 Kudos
Reply
Ismail Azad
Esteemed Contributor

тАО06-06-2011 10:31 PM

тАО06-06-2011 10:31 PM

Re: Unix / Linux special groups

Hi Reynald,

So it sounds like you are using sudo over RBAC, lookin' at the conventional groups your query is based on.

However, RBAC does have special roles and special *pseudo groups* that go with the implementation of RBAC. One of which stands out is PRIV_GLOBAL.


Regards
Ismail Azad
Read, read and read... Then read again until you read "between the lines".....
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.