Chapter 4. Account Management
Currently only the Sauron's Web Interface uses user accounts and privileges. A text-based interface (to be used via SSH or locally) is planned and will use the same user accounts and privileges as the web interface.
There are two ways to assign privileges to users either directly setting privileges to a user or assigning user to a user group and then setting privileges to that user group. It is recommended to use user groups to grant users privileges, since when there is large number of user accounts, it is much easier to modify permissions of a user group than having to modify each user's permission individually.
 | There is no access control when using the command-line utilities. Thus, it may be necessary protect access to the Sauron database (in PostgreSQL) and configuration file config (if it contains password to access the database). |
Managing User Accounts
For managing user accounts there are several command-line utilities: adduser, moduser, and deluser. Following sections show how to do basic administrative tasks using these utilities.
Creating User
User accounts are created using adduser utility. This utility allows adding user accounts either interactively or in batch mode by specifying all the required information on command-line. Following example shows how to add normal user account interactively (see the Section called adduser in Chapter 6 for information how to use this command in non-interactive mode). To add new user into Sauron simply run adduser command from Sauron top-level directory:
./adduser
|
Enter username: pippin
Enter group name (empty for none): hobbits
Enter user description (full name): Peregrin Took
Enter user email address: pippin@shire.middle.earth
Enter optional user info:
Enter account expiration date (dd-mm-yyyy, +<n>d, +<n>y) [none]:
Enter password [UtH4RCda]:
Username: pippin
Group: hobbits (GID=1)
Longname: Peregrin Took
email: pippin@shire.middle.earth
comment:
expiration: <none>
superuser: false
Add this user [y/n]?y
User pippin added successfully.
|
Setting Privileges
Accounts must have some privileges (except superuser/administrator accounts) for them to be useful. Privileges can be assigned directly to the user account using moduser utility or indirectly to a group using modgroup utility.
Typically user (or group) is assigned one or more "server" privileges that grant user read-only access into those server(s). Then user is assigned "zone" privileges that grant user access into all hosts inside certain zone(s). If needed, user's access into all hosts inside the zone(s) user has write access can be further limited by assigning restrictive privileges to limit users access to only a subset of hosts inside the zone(s). For this there are rules to limit access by hostname (regexp) or by IP number (either by network/subnet or by IP-mask). See Table 4-1 for complete list of available user/group privileges.
Table 4-1. Account/Group Privileges
| Type | Target | Description | Value |
|---|---|---|---|
| Server | server ID | Controls the access to a server and all zones inside the server. | R=read access, RW=read/write access, RWX=read/write access (with less restrictions) |
| Zone | zone ID | Controls the access to a zone. | R=read access, RW=read/write access, RWX=read/write access (with less restrictions) |
| Net | net ID | Limits users ability to use only IP addresses within "auto assign ranges" of the networks/subnets listed by the Net rules. | |
| IP mask | Limits users ability to use only IP addresses to those matching the IP-mask | IP-mask (for example: 192.168.1-10.* | |
| Hostname mask | Limits user to be able to modify only hosts with domainname matching any of Hostname mask rules. | regular expression (for example: ^\.math$) | |
| Authorization Level | Defines user's authorization level. This can be used to control users access into templates/groups, and also to control how much information about networks is displayed to the user. | authorization level (0-999, 0=default) | |
| Host Expiration Limit | If defined, user can only create host entries that expire in n days or sooner. | expiration limit (in days) | |
| Default Department | Default Department field value for new hosts. | Department Name |
In addition to modifying the user account itself, moduser utility can also be used to modify user privileges. To add privileges interactively for given account, just invoke moduser with --add option. For example:
./moduser pippin --add
|
./moduser pippin
|
Username: pippin (id=2)
longname: Peregrin Took
email: pippin@shire.middle.earth
info:
superuser: No
group: hobbits (gid=1)
passwd status: valid (CRYPT)
last login:
account expiration: <never>
account created: Sat Feb 15 00:18:40 2003 by tjko
last modified: <never>
ID Type Ref. Mode
------ -------- ------------------------- --------------------------------
[User privileges]
3 hostname \.shire$ (hostname constraint)
[Group (hobbits) privileges]
1 server test R
2 zone test:middle.earth RW
|
Removing User
User account can be removed using deluser utility. This utility works interactively when started without any arguments. To remove user(s) non-interactively use --user=<username>
To remove user account interactively, simply start deluser without any arguments from Sauron top-level directory:
./deluser
|
Disabling User Temporarily
It is also possible to disable (lock) user accounts without actually removing them, using moduser utility with --lock option.
Locking user account "pippin", issue following command from Sauron top-level directory:
./moduser pippin --lock
|
Listing Users
To list all users in Sauron database, use moduser command with --list option. This will list all the users as well as user's group, name, and email information. This can be done from Sauron top-level directory as follows:
./moduser --list
|