Re: One login, several environments to use?
From: Antti H (gumfire_at_despammed.com)
Date: 04/28/05
- Next message: Security Alert: "SSRT5958 rev.0 - HP OpenView Radia Management Portal (RMP) Radia Management Agent (RMA) Remote Unauthorized Privileged Access and Denial of Service (DoS)"
- Previous message: Mahesh Kumar: "lwp_rwlock_t Vs pthread_rwlock_t"
- In reply to: Ted Linnell: "Re: One login, several environments to use?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 28 Apr 2005 08:18:39 GMT
Ted Linnell wrote:
> Antti H <gumfire@despammed.com> wrote:
>
>
>>Hi,
>>I have a situation. I have a server, where production is made for
>>several clients. Each client has an environment (aliases, $PATH etc)
>>different from others.
>>Currently each user has a account to each clients environment. This is a
>>security risk, passwords are kept simple etc.
>>
>>I want to be able to have one login for each user, allowing them to
>>choose (login script?) the client they are going to work on, and then
>>based on their selection load the appropriate variables etc.
>>
>>
>>The Goal:
>>
>>to have one account per user, instead of one account for each client.
>>each client must preserve their aliases and other environment funnythings.
>>when logged in, a user can only do work for the selected client, because
>>the environment is special for each.
>>
>>
>>The problems:
>>
>>1)
>>We could do this with hidden accounts where the script would
>>`su - client1person4` account.
>>
>>This is bad because the number of accounts on the system would be
>>unmanageable, where one person has 30 "logins".
>>
>>
>>2)
>>giving all client groups to user, and chrooting them to selected clients
>>home dir.
>>
>>If only I could use chroot with the system on top, creating links to
>>/bin etc is unacceptable.
>>
>>
>>3)
>>giving all groups to user, loading environment with the script.
>>
>>Yeah, right. Unacceptable, because users would compile even if told not
>>to against when wrong clients environment loaded, which would lead into
>>serious problems.
>>
>>
>>
>>I am stuck, since I do not know anything about managing unix
>>environments. I ask you, humbly, please advice on proper methods, how is
>>such scenarios handled in other places?
>>
>>TIA
>>
>>Antti H
>
>
> Have done this before.
>
> Had a system running several separate applications , each with its own
> support team initially.
>
> Each support user was assigned to 1 application group.
>
> In /etc/profile we determined users primary group and ran the
> appropriate environment set up script.
>
> It was later decided to amalgamate support of severl apps into 1 team.
> Each member of the team needed to be able to access each app, but only
> 1 app at a time.
>
> We added the support users to all required groups.
>
> Users logged in and got the env set up of their primary group.
>
> To work on a different app user used the chgrp (or maybe newgrp
> command, cant rember exactly and dont have access to UNIX at the
> moment) to swap to a different primary group. This effectively logs
> them in again and runs all profiles from /etc/profile, setting up the
> environment of the new app.
>
> Regards,
>
> Ted.
> ==============================================================
> | Ted Linnell <edlinnell@acslink.net.au> |
> | |
> | Nunawading, Victoria , Australia |
> ==============================================================
Never thought of this possibility, will check into. Thanks!
Antti H
- Next message: Security Alert: "SSRT5958 rev.0 - HP OpenView Radia Management Portal (RMP) Radia Management Agent (RMA) Remote Unauthorized Privileged Access and Denial of Service (DoS)"
- Previous message: Mahesh Kumar: "lwp_rwlock_t Vs pthread_rwlock_t"
- In reply to: Ted Linnell: "Re: One login, several environments to use?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
