G    Division of Privileges

This appendix provides information about the division of administrative privileges using the DOP (division of privileges) utility.

G.1    Assigning System Administration Privileges

Without a division of privileges feature, only authorized root users (superusers) have access to many of the system administration programs. To split the responsibilities of administering systems, it is necessary to share the root password, a significant security risk. When an authorized person is removed from the list of authorized users, it is necessary to change the root account password.

The dop utility enables a root user to assign access to certain classes of administrative tasks to other users or groups of users. This enables a site to minimize access to the root account. Users or members of groups assigned a particular privilege can perform administrative tasks without knowing the root password. For example, a user granted the AccountManagement privilege can run the tasks listed under the Accounts branch of the SysMan Menu.

Administrative tasks (or actions) are organized into related groups and named for the particular privilege they confer to a user. For example, the Security privilege is extensive, and when granted to users other than root, it enables those users to run the following tasks:

dopconfig

Run dop, and grant privileges to other users.

Dopaction

Run from the Sysman Menu to grant privileges to other users.

secconfig

Configure the overall system security level.

auditconfig

Configure the audit environment on the system using the SysMan Menu interfaces.

dxaudit

Configure the audit environment on the system using the X11 compliant interface, Audit Configuration. This is available from the CDE Application Manager --> Configuration menu.

This organization of tasks ensures that no matter what type of interface the privileged user invokes, he or she will have the authority to use it as if they were the root user.

In contrast, other privileges, such as mailManagement, are not extensive, and grant only access to the mail management task. However, before granting privileges to groups, you should use SysMan Menu to ensure that the members of a group are appropriate candidates for the privileges. If NIS is in use, you should also check the members of NIS groups before assigning a NIS group any privileges. Use the SysMan Menu Accounts option to review groups, and if necessary, to create new groups of privileged users.

To view a complete list of privileges, invoke dop as described in the following sections, which also describe the process of granting privileges to users and groups.

G.2    Invoking dop

You can invoke dop by the following methods:

• From the command line, type dop followed by the command options you require. For information on the dop command options, refer to the dop(8) reference page. The command line is mostly used for maintaining the privilege database, but it does also enable you to launch privileged actions directly from the command line, as described in Section G.3.

• From a command-line on a terminal, you can also invoke the character-cell SysMan Menu interface to dop using the sysman dopconfig command.

• From the SysMan Menu Security option, expand the menu option list and select the option titled Configure Division of Privileges (DOP). The SysMan Menu interface for dop can be run from a terminal, a personal computer (using Java), or an X11-compliant windowing environment. Refer to the System Administration guide for information on using the SysMan Menu.

  When dop is run as a graphical user interface or SysMan Menu option, online help is available for the interface. For information on using this interface, see Section G.5. Note that you can also write scripts to access dop features using the SysMan Menu command-line interface sysman -cli. For more information, refer to the System Administration guide and the sysman_cli(8) reference page.

• From the CDE Application Manager, select the Configuration folder and invoke dop by clicking on the DOP icon. Note that this invokes the SysMan Menu and launches the X11 version of the interface. Refer to the System Administration guide for information on using CDE. When dop is run as a graphical user interface or SysMan Menu option, online help is available for the interface. For information on using this interface, see Section G.5.

G.3    Using the dop Command Line

You can maintain the dop database or attempt to run privileged actions (tasks or programs) using dop command-line options. The SysMan Menu option described in Section G.5 provides you with an easy way to look up privileges and actions; however it does not provide the dop database options available from the command line.

For a complete list of the command-line options, refer to the dop(8) reference page. Help on the dop command options can be obtained by typing dop -h.

The following sections provide some examples of using dop from the command line.

G.3.1    Launching Privileged Actions (Tasks)

You can attempt to run any action (a task or program) from the command line, and the dop utility verifies your access to the privilege against the privilege database as follows:

• If you are not root user, typing the command dop action prompts for the root password. For example:

  # dop users
  

• The -N option attempts to run the action without privileges. For example, to attempt to run the AccountManagement action users, enter:

  # dop -N users
  

• The -n option invokes a prompt asking if you want to run the command as yourself or as root user. You need the root password for the latter. To attempt to run the HostManagement action dxhosts unprivileged, type:

  # dop -n dxhosts
  

If you have the privilege, the action is launched. In this case, the user management interface of the SysMan Menu Accounts option is launched.

G.3.2    Administering the DOP Database

To administer the DOP database, you use certain command-line flags and options with the dop command. The database is a binary image to ensure security, so only the dop command should be used to make changes. Only the root user is permitted to make changes to the database.

Administering the database involves adding, deleting, or modifying database entries and updating (writing) the binary file. Before you perform any of these tasks, you need to gather the following information:

1. Optionally, an action name -- If you are adding actions to the database, you need to assign a name to it that enables you to easily recognize what program is being run by the action. For example, if you add /usr/bin/X11/xhost to the HostManagement privileges, you may want to name it hostmanager_cli to identify it as a command-line interface.

2. Required -- The names of any privileges that you plan to change. To obtain a complete list of privileges you need to use the SysMan Menu DOP option, as described in Section G.5.

3. Required -- The absolute paths to any programs that you intend to add to a privilege. For example, /usr/bin/X11/xhost. You also have an option to specify (or restrict) the type of user interfaces under which the action will be launched, such as X11 for CDE, or cli for command-line interface. Ensure that the program will run under any interfaces that you intend to specify. Programs that run under SysMan Menu will usually support the greatest range of interfaces.

Using the information you gathered and dop options, you can perform the following administrative tasks:

• Add new actions to the database, updating the binary image. For example, if you want to add the /usr/sbin/adduser utility to the AccountManagement privileges, use the following command:

  #dop -a AccountManagement adduser_script /user/sbin/adduser
  

  Note that this comand assigns the name adduser_script to the action and that name is used by privileged users to invoke the action. The dopaction editor (Manage DOP Actions) can also be used to add new actions and you will not have to worry about binary images.

  Using the method of viewing privileges described in Section G.5, you will see the new action added to the list of AccountManagement actions as follows:

  Priv AccountManagement is required by action(s)
  accounts
  users
  groups
  nis_users
  nis_groups
  adduser_script
  

• Delete existing actions from the database, updating the binary image. For example, if you want to select the /usr/sbin/adduser utility added in the previous example and remove it from the AccountManagement privileges, use the following command:

  # dop -d adduser_script
  

  The dopaction editor (Manage DOP Actions) can also be used to delete actions and you will not have to worry about binary images.

  Using the method of viewing privileges described in Section G.5, you will see that the action was removed from the list of AccountManagement actions as follows:

  Priv AccountManagement is required by action(s)
  accounts
  users
  groups
  nis_users
  nis_groups
  

• To write the binary image of the revised database, you have the following options:

  dop -w

  Writes the binary image without changing the source.

  dop -W

  Updates actionlist from the dop action file then writes binary image.

G.4    Defining and Managing New Actions

The Manage DOP Actions facility allows administrators to create new actions which include commands the actions execute as well as what privileges are required to run the actions. The Manage DOP Actions facility can be started from the Security branch of the SysMan Menu or from the command line with the following command:

# sysman dopaction

Caution

Compaq strongly recommends that users of the Manage DOP Actions facility do not modify the DOP actions that are supplied with the operating system. To do so might cause the system management facilities integral to the Tru64 UNIX system to fail. The Manage DOP Actions facility is provided to allow administrators to add and maintain new actions corresponding to tasks particular to their production environments.

G.5    Viewing or Modifying Privileges Using SysMan

The SysMan Menu option, Configure Division of Privileges (DOP), is located under Security. When you select this option, a window is displayed titled Configure DOP on hostname, where hostname is the name of the local system. This interface does not offer as many options as the dop command-line. Refer to the dop(8) reference page for more information on command line options, and see Section G.3 for examples of use.

The Configure DOP on hostname window enables you to view or modify the current assignment of privileges by adding new users and groups, or removing existing users and groups. The SysMan Privilege List: field contains a list of all the currently available privileges. The following are examples of some of the privileges on the list, and a brief description of what a privileged user or group can do:

1. AccountManagement -- Enables privileged users to create user accounts and groups on the local system. If NIS is in use, it enables the privileged user to create NIS accounts and groups.

2. EventManagement -- Enables privileged users to administer certain Event Management (EVM) services such as the SysMan Menu View events option or monitor.

3. HostManagement -- Enables privileged users to perform host management tasks associated with the dxhosts graphical interface or xhost command.

To view the current assignments of any privilege, either double-click on a list entry (such as PowerManagement) or highlight an entry and press the Modify... button.

A second screen titled Configure DOP: Modify privilege <privilege_name> is displayed, where privilege_name is the list item you selected, such as NetworkManagement. This window contains the following information and options:

• Description -- A brief description of the actions allowed under this privilege, and the list of actions that are allowed. For example, the following actions are displayed under AccountManagement:

  accounts
  users
  groups
  nis_users
  nis_groups
  

  This means that users who are granted the AccountManagement privilege can use any user account management interfaces, such as dxaccount or the SysMan Menu option Accounts - Manage local users.

• Specific users granted this privilege -- A space-separated list of user names from the /etc/passwd file. Every user in this list is currently a privileged user. The field is blank if no users or groups have been granted this privilege.

• Specific groups granted this privilege -- A space-separated list of groups from the /etc/groupfile. Every member of every group in this list is currently a privileged user. The field is blank if no users or groups have been granted this privilege.

• Browse... -- These buttons enable you to browse a list of all authorized system users and groups as follows:

  • Browse Specific users -- Displays an alphabetic scrolling list of all authorized users from the /etc/passwd file. If NIS is in use, you will be shown all NIS users who have access to the local system. Use the mouse pointer to double-click on any user name to select that user.

  • Browse Specific groups -- Displays an alphabetic scrolling list of all groups from the /etc/group file. If NIS is in use, you will be shown all NIS groups who have access to the local system. Use the mouse pointer to double-click on any group to select that group.

    Any authorized member of that group will be granted the privilege. You may want to create your own groups of privileged users so that you can administer privileges more easily. Refer to the System Administration guide for information on creating groups.

You can modify the existing privilege assignments, adding or removing existing users and groups, as follows:

1. In the window titled Configure DOP on hostname, select the required privilege and press the Modify... button.

2. In the window titled Configure DOP: Modify privilege <privilege_name>, change the assignments as follows:

   1. To administer users, type (or delete) user names from the space-separated list. Use the Browse... option button to view a list of current system users.

   2. To administer groups, type (or delete) group names from the space-separated list. Use the Browse... option button to view a list of current groups.

   3. Press OK to update the DOP database and exit from the window, or press Cancel to abort the operation. You will be returned to the previous window, where you can select another privilege or exit and return to the SysMan Menu.

Refer to the online help for more information on the options.