Survey

[Ed Anselmo]

>>>>> On 10 Sep 90 19:04:22 GMT, fwp1 at CC.MsState.Edu (Frank Peters) said:

Frank>      b) We would like to delegate many tasks such as tape control,
Frank>         backup, printer control and such to our operators.  At the
Frank>         same time we don't want to share the root password.  There are
Frank>         a few systems out there to allow the delegation of tasks to
Frank>         certain users.  All of these, of course, have security issues
Frank>         involved that must be considered.

We have a setuid-root program that allows most of the above to be done
without having to be logged in as a super-user.  Users in group wizard
can kill runaway processes (among other things....):

Menu for wizard.

 0.     Exit this Menu.
 1.     Control Printer Queues.
 2.     Remove Job(s) From Printer Queues.
 3.     Reboot System.
 4.     Halt System.
 5.     Terminate A Process.
 6.     Write To All Users Logged On This Machine.
 7.     Set Date & Time.
 8.     Alter Priority of Process.
 9.     Rebuild UserDataBase Alias Files.
10.     Remove IPC Resources.

(The last option was added to remove IPC resources that ill-mannered
Linda programs started leaving around).

The similar "operator" program allows members of group "operator" to
do backups from a regular account.

Both programs log every action performed by the user.

Frank> (4)  Userid management.  Most UNIX boxes come with instructions about
Frank>      which several files should be edited to add a user to the system.
Frank>      We are developing programs to manage the addition of userids in a
Frank>      relatively bullet proof way so that non-technical personnel can
Frank>      add new users.  While there are programs to do that around very
Frank>      few address the large system issues such as password file locking
Frank>      and batch additions of large groups of users like a class roll.

Yale CS uses the all-singing, all-dancing "User Database Program"
(udb) which tracks users, uids, mailboxs, mailing lists, machines,
serial numbers (among other things).  Through a series of programs and
Shell Scripts from Hell, it's used to build and delete accounts
(assigning unique uids, and keeping them consistent across machines),
and rebuild the sendmail aliases files.

It has also managed to keep several generations of Yale undergraduate
summer programmers entertained for months on end.

anselmo[371] % xdb
Yale Data Base access program (xdb).
Version 1.4 (Exp) of 89/10/02 15:42:52 by long.
Type '?' at any prompt for help.

Trying eli.cs.yale.edu...[Connected]...[OK]
Establishing identity...[OK]
The Database Daemon welcomes anselmo-ed at bigbird
Figuring out who you are...[OK]
Checking for wizardhood...[Wizard]
I welcome Wizard anselmo-ed
Loading entities: distribution...entity...field...machine...mailing-list...person...program...pseudo-user...[Done]
wizard> sh anselmo
** person anselmo-ed
Fullname:     Ed Anselmo
Status:       staff
Expiration:   1999
Birthday:     4/25/59
Work-address: 51 Prospect St. (AKW) Room 012
Work-phone:   432-6428
Room-number:  012
Home-phone:   469-2562
Capability:   arpanet, database
Workstation:  bigbird
Group:        facility
ID Number:    118
Mailbox:      'anselmo at ra, 'anselmo at yale-rt-alaska

wizard> sh machine bigbird
** machine bigbird
Fullname:                     bigbird.cf.cs.yale.edu
Description:                  alaska client
Operating-system:             sun os
Host-id:                      51005683
Component/Make/Model/Ser-Num: cpu sun 4/60fgx-12-p4 935f2634
yaleid:                       066099
Install-date:                 9/89
Location:                     012
Primary-user:                 anselmo-ed
principle-investigator:       facility
Owner:                        facility
Grant:                        overhead

wizard>
-- 
Ed Anselmo   anselmo-ed at cs.yale.edu   {harvard,cmcl2}!yale!anselmo-ed