Homepage › Clovertech Forums › Read Only Archives › Cloverleaf › Cloverleaf › set up pf a multi user site
- This topic has 11 replies, 8 voices, and was last updated 8 years, 8 months ago by David Barr.
-
CreatorTopic
-
August 6, 2015 at 9:32 pm #54777Rick PritchettParticipant
I am reaching out to everyone to find out how to set up multiple users for Cloverleaf in an AIX environment. It has bee a long time since I have had to set up a user. -
CreatorTopic
-
AuthorReplies
-
-
August 6, 2015 at 11:17 pm #82947Charlie BursellParticipant
What OS?
If Unix, make sure all are members of the staff group and all have same permissions
-
August 7, 2015 at 1:23 am #82948Richard HartParticipant
Hi Rick.
We are on linux (migrated from AIX) and work on the server.
We login to the server with our own account and use ‘sudo’ to change user to the code owner (hci) or runtime owner (hcimgr).
i.e.
sudo su – hci
or
sudo su – hcimgr
We ensure that our local accounts are in the same *nix group as the ‘hci*’ accounts.
-
August 7, 2015 at 2:52 pm #82949Rob LindseyParticipant
The AIX smit (smitty users) should walk you through everything you need to setup a user. Of course I would view the hci user to make sure you choose the right groups and privs.
Rob
-
August 11, 2015 at 8:37 pm #82950Alice KazinParticipant
Make sure “hci” owns all the Cloverleaf files. We’ve had issues with the testing tool if one of the users (not hci) owns the Cloverleaf file.
-
January 4, 2016 at 7:16 pm #82951David BarrParticipant
Does anyone have more detailed instructions on how to set up sudo to access the hci account? I don’t want to give root access to all users, so the “sudo su – hci” command wouldn’t work. I was thinking of putting this in the sudoers file:
%staff ALL=(hci) NOPASSWD: ALL
This would allow anyone in the staff group to login as hci.
The next problem that I have is that the .profile for the hci account isn’t being run. I’m trying to use “sudo -s -H -u hci” from my regular account. Our hci account uses “bash” as the login shell, and I think that bash isn’t reading the profile because it doesn’t think that it is being run as a login shell.
-
January 4, 2016 at 7:20 pm #82952David BarrParticipant
I think I figured out the .profile part: I need to run “sudo -i -u hci”.
-
January 6, 2016 at 10:47 pm #82953Rob LindseyParticipant
We have everyone login to the *nix server as their own account and then use:
su – hci
that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.
The one issue doing this is that if you use the history commands, you can pull up commands that were done by other users. We had someone pull up a remove command and run it in the wrong directory. So I figured out a way to have each user that “su’s” to the hci account have their own history file.
Rob
-
January 7, 2016 at 11:34 pm #82954Elisha GouldParticipant
We use the following to the .profile file for hci to ensure each user has their own history in Linux:
Code:MYUSER=`who am i | awk ‘{print $1}’`
export HISTFILE=$HOME/.sh_history_$MYUSER -
January 8, 2016 at 4:40 pm #82955David BarrParticipantRob Lindsey wrote:
We have everyone login to the *nix server as their own account and then use:
su – hci
that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.
Do they have to type in the hci password? What prevents them from logging in as hci directly?
Also the “-i” option on sudo clears out the environment from the original user.
-
January 11, 2016 at 12:53 pm #82956aaron kaufman-mooreParticipantDavid Barr wrote:Rob Lindsey wrote:
We have everyone login to the *nix server as their own account and then use:
su – hci
that forces the *nix system to use the .profile of the hci user and not reference anything from the originating user.
Do they have to type in the hci password? What prevents them from logging in as hci directly?
Also the “-i” option on sudo clears out the environment from the original user.
In our setup (AIX 6.1), the users do need to enter the hci password when they su up to the hci username. We prevent them from logging in as hci directly by adding the following lines to /etc/ssh/sshd_config:
Match User hci
PasswordAuthentication no
That will not allow hci to login with a password, but still allow scripts which can handle key-file authentication (think sftp) to still work as an hci user. That has satisfied our security team…so far
-
January 12, 2016 at 5:40 pm #82957David BarrParticipantaaron kaufman-moore wrote:
We prevent them from logging in as hci directly by adding the following lines to /etc/ssh/sshd_config:
Match User hci
PasswordAuthentication no
Yeah, I looked at doing that as well, but our version of SSHD (4.3p2) is too old and doesn’t support the Match keyword. Thanks for your suggestions.
-
-
AuthorReplies
- The forum ‘Cloverleaf’ is closed to new topics and replies.