Original questions:
> 1. Is it possible (and how) to delegate some user, other than root, to
> register users with XSysAdmin and XIsso (with advanced security).
>
> 2. Is it possible to register users (with XSysAdmin and XIsso - enhanced
> security) simultaneously on 2 or more terminals (because we have lots
> of users to register every day).
Thanks for responses to:
"Randy M. Hayman" <haymanr_at_icefog.sois.alaska.edu>
Communica Systems <comminc_at_iinet.net.au>
"THOMSON, Dave" <THOMSOND_at_wellington.ecnz.co.nz>
My comment:
I think that Randy's utility 'zuausr' is quite nice and that it
solves lots of problems.
See also: Jan 25 THOMSON, Dave, SUMMARY: non X version of XIsso, on
this list
--------------------------------------------------------------------
From: "Randy M. Hayman" <haymanr_at_icefog.sois.alaska.edu>
I have resolved the problems you are experiencing. What we have done here
is by taking an HRS (Human Resource System) extract of all students and
employees, and loading that up into a file (of /etc/passwd format), then
run some utilities I wrote to manage the user accounts. Here's a man page
from the utility:
zuausr(8) ZUAUSR utilities v1.02 and up zuausr(8)
NAME
user_cpw -- ZUAUSR utility to change user account passwords.
user_create
-- ZUAUSR utility to create user accounts.
user_lock -- ZUAUSR utility to lock user accounts.
user_pwd_restrict
-- ZUAUSR utility to restrict user account passwords.
user_report
-- ZUAUSR utility to display user accounts.
user_uid -- ZUAUSR utility to change userid numbers and home directories
for user accounts.
user_unlock
-- ZUAUSR utility to unlock user accounts.
DESCRIPTION
The ZUAUSR utilities are command line utilities to be used with Digital
UNIX running the C2 level Enhanced Security mode, for manipulating user
accounts without requiring the root password. The security inherent in
this utility is based upon many premises as outlined in the ZUAUSR Adminis-
trator Manual. Administrators needing to run these utilities are strongly
advised to read and understand the ZUAUSR Administrator Manual. By having
these utilities command line driven, they are easily scripted for doing an
operation on many accounts in seconds. The security granularity designed
into the ZUAUSR utilities makes it easy to separate the processes required
to manipulate accounts.
The ZUAUSR utilities are installed via the setld utility provided by Digi-
tal Equipment Corporation.
The ZUAUSR utilities all automatically log any activities performed to the
private audit log file for review by the system administrator or security
officer.
LIMITATIONS
Current limitations inherent in the ZUAUSR utilities are outlined in the
ZUAUSR Administrator Manual and the individual man pages for the individual
utilities.
FILES
ZUAUSR.log
-- the audit log for the ZUAUSR utilities.
passwd.who
-- the file of potential accounts for this system.
/etc/passwd
-- the user account file.
/etc/group
-- the group file.
tcb database
-- the trusted computing base database.
/usr/tcb/bin/XIsso
-- the IS Security Officer's GUI interface.
/usr/tcb/bin/XSysAdmin
-- the IS System Administrator's GUI interface.
RETURN VALUES AND ERRORS
[SUCCESS] -- Successful Completion of Utility. Returns Integer Value 0.
[EINVLID] -- Error - Invalid Login ID. Returns Integer Value 1.
[USAGE] -- Successful return of Usage Help. Returns Integer Value 2.
[EINVOPT] -- Error - Invalid Option Attempted. Returns Integer Value 3.
[NOCHANG] -- Administrator Cancelled Change Request. Returns Integer Value
4.
[ENOSUID] -- Error - Can't SUID appropriately. Returns Integer Value 5.
[ENOTCB] -- Error - Account Does Not Exist in TCB Database. Returns
Integer Value 6.
[ENOPWD] -- Error - Account Does Not Exist in Passwd Database. Returns
Integer Value 7.
[ENOTCB] -- Error - Account Does Not Exist in Passwd.who Database.
Returns Integer Value 8.
[ENOSGRP] -- Error - Group Does Not Exist in SYS_GRP_FILE. Returns Integer
Value 9.
[ENOAGRP] -- Error - Group Does Not Exist in ALT_GRP_FILE. Returns Integer
Value 10.
[EUNAUTH] -- Error - No Authority To Change Password. Returns Integer
Value 11.
[EUTEMPL] -- Error - Can't Change/Modify (u)ser Template. Returns Integer
Value 12.
[ESTEMPL] -- Error - Can't Change/Modify (s)ystemr Template. Returns
Integer Value 13.
[ETCBUPD] -- Error - Can't Update TCB Database. Returns Integer Value 14.
[EPWDUPD] -- Error - Can't Update Passwd Database. Returns Integer Value
15.
[EINPWD] -- Error - User/Account Already Exists in passwd Database.
Returns Integer Value 16.
[EINTCB] -- Error - User/Account Already Exists in TCB Database. Returns
Integer Value 17.
[ENOTEMP] -- Error - Template Does Not Exist. Returns Integer Value 18.
[EMKDIR] -- Error - Can't Create Directory. Returns Integer Value 19.
[ECHOWN] -- Error - Can't CHOWN File/Directory. Returns Integer Value 20.
[ECHMOD] -- Error - Can't CHMOD File/Directory. Returns Integer Value 21.
[EUMATCH] -- Error - UID Does Not Match in TCB and Passwd Databases.
Returns Integer Value 22.
SEE ALSO
user_cpw(8), user_create(8), user_lock(8), user_pwd_restrict(8),
user_report(8), user_uid(8), user_unlock(8), XIsso(8), XSysAdmin(8)
AUTHOR
The ZUAUSR utilities were originally designed and developed by Randy M.
Hayman at the University of Alaska Statewide Office of Information Ser-
vices.
COPYRIGHT
Copyright (c) 1995 Randy M. Hayman
Randy M. Hayman
haymanr_at_icefog.alaska.edu
From: Communica Systems <comminc_at_iinet.net.au>
> 1. Is it possible (and how) to delegate some user, other than root, to
> register users with XSysAdmin and XIsso (with advanced security).
This is a difficult one, and the answer is quite technical, involving
permission sets in the user's tcb file.
If you have a look at the Root entry, you will see that it has a large
number of permissions that are used in it, but not used in any other
user's entry.
Whe I looked at doing this about 12 months ago, it was suggested that
the user being given 'isso' prilivage should have 500 < UID < 1000
This should give the user permission to run XIsso.
In the B2 secure version of OSF (3.1,I believe) these permissions are
all available, and supposed to be implemented. (Have not checked it
myself, so I do not know.)
The bookreader docs on the use of TCB and C2 security are reasonable,
but not great, especially if you are attempting to do something like
this that is not currently supported by Digital.
From: "THOMSON, Dave" <THOMSOND_at_wellington.ecnz.co.nz>
> 1. Is it possible (and how) to delegate some user, other than root, to
> register users with XSysAdmin and XIsso (with advanced security).
I haven't found a way yet.
> 2. Is it possible to register users (with XSysAdmin and XIsso - enhanced
> security) simultaneously on 2 or more terminals (because we have lots
> of users to register every day).
If you have setup your system to allow root to logon from anywhere (or
alternatively su from other people) then you can have multiple XSysadm and
XIsso sessiosn running. Note that XSysadm and XIsso sometimes have
difficulty passing information (eg. IF you have both running at the same
time and create a user in XSysadm, XIsso often doesn't recognise that a user
has been created). I generally greate all the users in Xsysadm first, set
passwords for all of them, then run XIsso to unlock them.
Received on Thu Jan 25 1996 - 18:02:15 NZDT