Setting up UNIX users

Use these steps to set up UNIX users to start, stop, and run system commands from the shell command line without privilege issues.

When setting up UNIX users, remember these points:

  • The sudo and su commands provide a comprehensive audit trail.
  • The command that is issued along with the issuer's user name is logged to the file /var/log/secure.
  • Each successful authentication is logged to the file /var/log/messages.
  1. Use visudo to add the staff group to the sudo list by adding %staff ALL=(ALL) ALL.
  2. The "s" sets the setgid flag on the directory so that new files inherit the group ownership. For example:
    find $HCIROOT -type d -exec chmod g+s {} \;
  3. Add all Cloverleaf users and hci to the staff group. For example:
    usermod -a -G staff user
  4. Disable direct SSH log-in for the hci user. To do this:
    1. Add the line DenyUsers hci to /etc/ssh/sshd_config.
    2. Restart sshd using service sshd restart.
  5. Make hcienginerun, hcienginestop, hcisitectl, and hciss readable, writable, and can run only to hci. For example:
    chmod 700 $HCIROOT/bin/hcienginerun
    		$HCIROOT/bin/hcienginestop chmod 700 $HCIROOT/bin/hcienginerestart
    		$HCIROOT/bin/hcisitectl $HCIROOT/clgui/bin/hciss 
    You can now only start and stop Cloverleaf processes as hci.
    Stopping and starting Cloverleaf processes should always be performed by the hci user.
  6. Because the hci user log-in is disabled, files must be transferred as the user. To ease permission issues, use a transfer directory.
    1. As hci:
      mkdir $HCIROOT/site_master/data/transfer
    2. As hci:
      chmod 777 $HCIROOT/site_master/data/transfer
    3. As user: Transfer files to and from this directory.
    4. As hci: Use the cp command to copy the files into place.
    5. As hci: Use the rm command to delete the files from the transfer directory.