04-27-05 10:45 PM
> 1) how to make a user equal to root to do necessary admin tasks? being
> member of sys group does not help either.
You really can't in the traditional sense. Linux permissions are *WAY*
different from Netware permissions, and the traditional POSIX (standard
linux) permissions are *much* more restrictive than Netware permissions,
because they don't support access control lists.
POSIX ACL's do exist now, but not all linux programs recognize them, so
there's a chicken-and-egg problem until all Linux programs support POSIX
ACLs. Any program that doesn't support POSIX ACL's simply ignores them
and may even remove them from files, making them useless.
Root isn't a user per se, it's an account that is fully exempt from
access control. If you'll pardon the nerdy analogy, you can think of
root as Neo from the Matrix, the rules simply don't apply to him, while
they do apply to everyone else.
And there is only one "root" user. You cannot create another "root"
user, i.e. an access control except user. Adding a user to the root
group doesn't help either, because they still won't be able to access
any file that doesn't belong to the root group.
To complicate matters further, not every user in eDirectory can log into
linux (in terms of bringing up a shell either from the console or
through SSH). You have to specifically map certain eDirectory users to
certain Linux users. This is all made much easier with Linux User
Management introduced with OES.
However, I have developed two solutions to this problem of how to have
multiple admins from eDirectory:
If you want a user to be able to "become" root:
1. add sufficient pam_wheel.so group=netmins to the /etc/pam.d/su file
near the top. This allows anyone in the "netmins" group to execute the
su command without a password (which allows them to become root).
2. Use Linux User Management to give your eDirectory admin users a POSIX
user ID and the netmins group a POSIX group ID.
3. Now when your admin users log in, they can type "su" and will become
root.
This solution has flaws:
1. It's an all or nothing approach. You can't limit only certain
commands to be allowed to be run as root.
2. Anyone with this priviledge can su to any other user on the system,
not just root. A nefarious person could do some serious damage while
pretending to be someone else on the system, causing that person to take
the blame.
The better solution is using sudo. sudo allows people to execute single
commands "as" root, but doesn't allow them to become root. It also is
much more granular. However, it's not as easy to work with. You have to
type sudo before every command you want to run as root, you can't simply
just execute it. However, if you want the "become" root functionality
like above, you can give them rights to execute a shell with sudo (i.e.
sudo /bin/bash)
There's lots of documentation about sudo out there, and if you set up
Linux user management. However, you have to set up the sudo on each
individual server through a text file, there's no central management.
There are solutions that allow sudo to read it's configuration file from
LDAP, allowing for centralized management, but these are not supported
by Novell and require you to build a custom version of sudo (or use an
RPM like the ones I build).
I plan to write an article and howto on this someday, as it seems to
come up a lot.
> 2) how to get rid of powersave error when log into system?
Here's the docs on powersave:
http://www-uxsup.csx.cam.ac.uk/pub/...>
wersave.html
Powersave only causes this error through VNC that I've found. It's
simply a cosmetic error if you're doing remote management that way, and
as such I haven't bothered to find a solution yet.
Hope that helps,
__________________________
Justin Grote
Network Architect
JWG Networks
[ Post a follow-up to this message ]
| 
