|
Home > Archive > Unix administration > August 2006 > is this appropriate way to restrict account access?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
is this appropriate way to restrict account access?
|
|
| Mistton 2006-08-18, 1:33 pm |
| runing Sun OS on Unix box.
have 6 accounts used for
- 1 used for IT support staff to login
- FTP by extranal apps (they has full access to box)
- mainframe scheduler program to log in
everybody seems to know password to support staff account including business
users. we need to change account passwords to restrict it only to produciton
support staff. alos FTP accounts have too much access
however changing password will cause programs that are using it to FTP to
fail. changing extrenal programs will requrie extensive code review and
changes and very expensive.
i have proposed following:
-keep all current accounts and passwords the same but restrict accoutns
severly limiting them to only r/w to specific dirs, restrict naviagation, etc.
- create new support account with new passwords for IT, transfer all owership
of objects by other accounts to this account (execpt for some execptions)
as a result old accoutns and software works without code change but now are
restircted to do what they were intended to do
new account will then be used for support
| |
| tsar.peter@gmail.com 2006-08-22, 7:35 pm |
|
Mistton wrote:
> runing Sun OS on Unix box.
>
> have 6 accounts used for
>
> - 1 used for IT support staff to login
> - FTP by extranal apps (they has full access to box)
> - mainframe scheduler program to log in
>
> everybody seems to know password to support staff account including business
> users. we need to change account passwords to restrict it only to produciton
> support staff. alos FTP accounts have too much access
>
> however changing password will cause programs that are using it to FTP to
> fail. changing extrenal programs will requrie extensive code review and
> changes and very expensive.
>
> i have proposed following:
>
> -keep all current accounts and passwords the same but restrict accoutns
> severly limiting them to only r/w to specific dirs, restrict naviagation, etc.
> - create new support account with new passwords for IT, transfer all owership
> of objects by other accounts to this account (execpt for some execptions)
>
> as a result old accoutns and software works without code change but now are
> restircted to do what they were intended to do
>
> new account will then be used for support
As noone answered i'll try,
You are on the right track.
For ftp, try to reconfigure so ftp is chrooted, thus not able to reach
areas outside
it's dedicated area ( this will affect where the ftp-ed files are
located )
It's not clear what you mean with "mainframe scheduler program", but
you might find 'sudo' handy, allowing a lesspriviligied user to run
specified programs with elevated privs.
|
|
|
|
|