Manualshelf

Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
101102103104105106107108109110
Planning a Workgroup
Managing Users Across Multiple Systems
Chapter 2102
Managing Users Across Multiple Systems
If your users regularly log in to more than one system, you need to think
about both security and logistics. The following guidelines may be
helpful.
Guidelines
Maintain unique, “global” user IDs across systems.
You need to ensure that each login name has a unique user-ID
number (uid) across all the systems on which the user logs in;
otherwise one user may be able to read another user’s private files.
This is a serious potential problem whether or not the home directory
is NFS-mounted.
SAM (the menu-driven System Administration Manager) will warn
you if you choose a uid that is not unique on the local system, but
this may not be enough. For example, if user jack has a uid of 215
and gid (group id) of 20 on his own system, and you set him up with
the same uid and gid on a remote system (for example by cutting
and pasting his /etc/passwd entry from the local to the remote
system), and user jill on the remote system already has uid 215
and gid 20, then jack will be able to read jills private files.
Conversely, suppose you use SAM to make sure that jack has a
unique ID on each system. SAM verifies that uid 215 is unique on
jack’s local system, and that 301 is unique on jill’s system. Both
systems have a directory named /common_stuff NFS-mounted from
a file server. When jack logs in to jill’s system, he may find he
cannot read some of his own files under /common_stuff; he in fact
won’t be able to read any files he has saved on his own system with
user-read-write or user-read-only permissions.
This comes about because HP-UX looks strictly at the uid and gid
fields when checking who has permission to do what to a file; the
user name is irrelevant.