• Home
  • /
  • set up pf a multi user site

set up pf a multi user site

Homepage Clovertech Forums Read Only Archives Cloverleaf Cloverleaf set up pf a multi user site

  • Creator
    Topic
  • August 6, 2015 at 9:32 pm #54777
    Rick Pritchett
    Participant

    I am reaching out to everyone to find out how to set up multiple users for Cloverleaf in an AIX environment.  It has bee a long time since I have had to set up a user.

  • Creator
    Topic
Viewing 10 reply threads
  • Author
    Replies
    • August 6, 2015 at 11:17 pm #82947
      Charlie Bursell
      Participant

      What OS?

      If Unix, make sure all are members of the staff group and all have same permissions

    • August 7, 2015 at 1:23 am #82948
      Richard Hart
      Participant

      Hi Rick.

      We are on linux (migrated from AIX) and work on the server.

      We login to the server with our own account and use ‘sudo’ to change user to the code owner (hci) or runtime owner (hcimgr).

      i.e.

       sudo su – hci

      or

       sudo su – hcimgr

      We ensure that our local accounts are in the same *nix group as the ‘hci*’ accounts.

    • August 7, 2015 at 2:52 pm #82949
      Rob Lindsey
      Participant

      The AIX smit (smitty users) should walk you through everything you need to setup a user.  Of course I would view the hci user to make sure you choose the right groups and privs.

      Rob

    • August 11, 2015 at 8:37 pm #82950
      Alice Kazin
      Participant

      Make sure “hci” owns all the Cloverleaf files.   We’ve had issues with the testing tool if one of the users (not hci) owns the Cloverleaf file.

    • January 4, 2016 at 7:16 pm #82951
      David Barr
      Participant

      Does anyone have more detailed instructions on how to set up sudo to access the hci account? I don’t want to give root access to all users, so the “sudo su – hci” command wouldn’t work. I was thinking of putting this in the sudoers file:

      %staff    ALL=(hci) NOPASSWD: ALL

      This would allow anyone in the staff group to login as hci.

      The next problem that I have is that the .profile for the hci account isn’t being run. I’m trying to use “sudo -s -H -u hci” from my regular account. Our hci account uses “bash” as the login shell, and I think that bash isn’t reading the profile because it doesn’t think that it is being run as a login shell.

    • January 4, 2016 at 7:20 pm #82952
      David Barr
      Participant

      I think I figured out the .profile part: I need to run “sudo -i -u hci”.

    • January 6, 2016 at 10:47 pm #82953
      Rob Lindsey
      Participant

      We have everyone login to the *nix server as their own account and then use:

      su – hci

      that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.

      The one issue doing this is that if you use the history commands, you can pull up commands that were done by other users.  We had someone pull up a remove command and run it in the wrong directory.  So I figured out a way to have each user that “su’s” to the hci account have their own history file.

      Rob

    • January 7, 2016 at 11:34 pm #82954
      Elisha Gould
      Participant

      We use the following to the .profile file for hci to ensure each user has their own history in Linux:

      Code:

      MYUSER=`who am i | awk ‘{print $1}’`
      export HISTFILE=$HOME/.sh_history_$MYUSER

    • January 8, 2016 at 4:40 pm #82955
      David Barr
      Participant

      Rob Lindsey wrote:

      We have everyone login to the *nix server as their own account and then use:

      su – hci

      that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.

      Do they have to type in the hci password? What prevents them from logging in as hci directly?

      Also the “-i” option on sudo clears out the environment from the original user.

    • January 11, 2016 at 12:53 pm #82956
      aaron kaufman-moore
      Participant

      David Barr wrote:

      Rob Lindsey wrote:

      We have everyone login to the *nix server as their own account and then use:

      su – hci

      that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.

      Do they have to type in the hci password? What prevents them from logging in as hci directly?

      Also the “-i” option on sudo clears out the environment from the original user.

      In our setup (AIX 6.1), the users do need to enter the hci password when they su up to the hci username.  We prevent them from logging in as hci directly by adding the following lines to /etc/ssh/sshd_config:

      Match User hci

      PasswordAuthentication no

      That will not allow hci to login with a password, but still allow scripts which can handle key-file authentication (think sftp) to still work as an hci user.  That has satisfied our security team…so far

    • January 12, 2016 at 5:40 pm #82957
      David Barr
      Participant

      aaron kaufman-moore wrote:

      We prevent them from logging in as hci directly by adding the following lines to /etc/ssh/sshd_config:

      Match User hci

      PasswordAuthentication no

      Yeah, I looked at doing that as well, but our version of SSHD (4.3p2) is too old and doesn’t support the Match keyword. Thanks for your suggestions.

  • Author
    Replies
Viewing 10 reply threads
  • The forum ‘Cloverleaf’ is closed to new topics and replies.

Forum Statistics

Registered Users
5,117
Forums
28
Topics
9,293
Replies
34,435
Topic Tags
286
Empty Topic Tags
10