08-23-06 12:35 AM
Mistton wrote:
> runing Sun OS on Unix box.
>
> have 6 accounts used for
>
> - 1 used for IT support staff to login
> - FTP by extranal apps (they has full access to box)
> - mainframe scheduler program to log in
>
> everybody seems to know password to support staff account including busine
ss
> users. we need to change account passwords to restrict it only to produci
ton
> support staff. alos FTP accounts have too much access
>
> however changing password will cause programs that are using it to FTP to
> fail. changing extrenal programs will requrie extensive code review and
> changes and very expensive.
>
> i have proposed following:
>
> -keep all current accounts and passwords the same but restrict accoutns
> severly limiting them to only r/w to specific dirs, restrict naviagation,
etc.
> - create new support account with new passwords for IT, transfer all owers
hip
> of objects by other accounts to this account (execpt for some execptions)
>
> as a result old accoutns and software works without code change but now ar
e
> restircted to do what they were intended to do
>
> new account will then be used for support
As noone answered i'll try,
You are on the right track.
For ftp, try to reconfigure so ftp is chrooted, thus not able to reach
areas outside
it's dedicated area ( this will affect where the ftp-ed files are
located )
It's not clear what you mean with "mainframe scheduler program", but
you might find 'sudo' handy, allowing a lesspriviligied user to run
specified programs with elevated privs.
[ Post a follow-up to this message ]
| 
