ajb@wpi.WPI.EDU (Arthur J. Butler) (02/20/91)
hi, i've recently installed 10.3 (large aegis and bsd) on our dn3500. i used import_passwd and syncids to create the accounts. i created a directory /usr/users where the home directories will be located. root owns this directory and the mode is 755. in /usr/users i have a directory called ajb (owned by ajb with 755 permissions). when user ajb logs in, all files he creates in his home directory are owned by "none" and his umask is totally ignored. when user ajb creates a file in /tmp, then the file ownership is ok but again the umask is ignored. this is all operating under bsd4.3 environment using csh. i check the account using edrgy and all looks ok. does anyone have any ideas? thanks, arthur (ajb@ee.wpi.edu)
system@alchemy.chem.utoronto.ca (System Admin (Mike Peterson)) (02/21/91)
In article <1991Feb20.052633.3894@wpi.WPI.EDU> ajb@wpi.WPI.EDU (Arthur J. Butler) writes: >hi, > >i've recently installed 10.3 (large aegis and bsd) on our dn3500. i >used import_passwd and syncids to create the accounts. i created a >directory /usr/users where the home directories will be located. root >owns this directory and the mode is 755. in /usr/users i have a >directory called ajb (owned by ajb with 755 permissions). when user >ajb logs in, all files he creates in his home directory are owned by >"none" and his umask is totally ignored. when user ajb creates a file >in /tmp, then the file ownership is ok but again the umask is ignored. >this is all operating under bsd4.3 environment using csh. Make sure that the directory /usr/users (and /tmp probably) has "Berkeley ACLs" - see the 'chacl' command. The idea is: chacl -R -B /usr/users cd /usr/users foreach $username (*) chown -R $username.group $username end chacl -B /sys/node_data/tmp chmod 777 /sys/node_data/tmp where 'group' is the desired group. The chacl command recursively applies BSD directory/file inheritance properties onto /usr/users (so that the umask will then be used as the mask for permissions, and the group will be inherited from the directory a la BSD), and of course the chown fixes all the existing files and directories. You will probably also have to chmod existing files/directories. The Apollo default permissions are not umask-based (instead fixed rights will be applied and a fixed owner/group will be applied), and will be used for all new files/directories by default. You can 'chacl -B' most of the /bsd4.3 and /usr tree without problems. WARNING - while you can safely chacl -B much of the file system, do not do this on /sys. I have protection scripts that will close up a SR10.x (x=0,1,2,3) BSD node as tightly as possible, and will also force proper ACLs/permissions onto all files/directories, including the /sys tree. They do a preliminary job on SYSV and /com, and disable most dangerous commands from normal users, and also set privacy ACLs on mail, etc. These scripts should be available in the ADUS library (but won't handle SR10.3 completely - they'll come close though), or given sufficient demand, I will post them here. It appears that closed ACLs as of 10.3 come pretty close to a real UNIX system, but I won't find out for sure until I do an install onto a newly invol'ed disk. SR10.[012] were no where near. -- Mike Peterson, System Administrator, U/Toronto Department of Chemistry E-mail: system@alchemy.chem.utoronto.ca Tel: (416) 978-7094 Fax: (416) 978-8775
rees@pisa.ifs.umich.edu (Jim Rees) (02/21/91)
In article <1991Feb20.052633.3894@wpi.WPI.EDU>, ajb@wpi.WPI.EDU (Arthur J. Butler) writes:
i've recently installed 10.3 (large aegis and bsd) on our dn3500. i
used import_passwd and syncids to create the accounts. i created a
directory /usr/users where the home directories will be located. root
owns this directory and the mode is 755. in /usr/users i have a
directory called ajb (owned by ajb with 755 permissions). when user
ajb logs in, all files he creates in his home directory are owned by
"none" and his umask is totally ignored.
When you create user's home directories, you should set them up for either
bsd or sysV permissions:
chacl -B ~ajb
or
chacl -S ~ajb
See the chacl man page for more confusion -- er, I mean clarification.robinb@bhpmrl.oz.au (Robin Brown) (02/26/91)
system@alchemy.chem.utoronto.ca (System Admin (Mike Peterson)) writes: >I have protection scripts that will close up a SR10.x (x=0,1,2,3) >BSD node as tightly as possible, and will also force proper >ACLs/permissions onto all files/directories, including the /sys tree. >They do a preliminary job on SYSV and /com, and disable most dangerous >commands from normal users, and also set privacy ACLs on mail, etc. >These scripts should be available in the ADUS library (but won't handle >SR10.3 completely - they'll come close though), or given sufficient demand, >I will post them here. It appears that closed ACLs as of 10.3 come >pretty close to a real UNIX system, but I won't find out for sure until >I do an install onto a newly invol'ed disk. SR10.[012] were no where near. Yes please I've been after something like this for ages. I recently installed 10.3 on some of our machines and discovered the following: If you load sr10.3 on a virgin disk booting off cartridge tape the system is still partially open even when you specify 'closed' eg /com /etc /install /lib /sau7 are wide open ('cops' had a field day :-). When you push it across from the AA on another node things are better but still not perfect eg /install is still wide open. Robin /\/\ Robin Brown (Mr) / / /\ Support Engineer (Unix systems & CAD/CAM/CAE) / / / \ Computer Systems Group / / / /\ \ BHP Research - Melbourne Laboratories \ \/ / / / 245 Wellington Rd Mulgrave Vic 3170 AUSTRALIA \ / / / Phone : +61-3-560-7066, Fax : +61-3-561-6709 \/\/\/ ACSnet : robinb@bhpmrl.oz.au