Discussion:
[Tiger-devel] FW: Help for something - FAA OKC
Banks, Ralph
2005-02-10 19:27:25 UTC
Permalink
I need to confirm if you product can help my customer.

REQUIREMENT MSG:
Ralph,

I gone till friday but I was wondering if you could query some of your
experts for a tool that can get unix group information such as what
groups who is in the group and what directories that group has access
to, permissions.

We can do this with Unix commands but it seems to eat cpu cycles and
slows processing.

We are getting beat up on this from our auditors as not being able to
provide this timely. I'm looking for tool that can do this automated as
a batch but doesn't use to much resources and can be run on demand or at
least within 24 hrs.

--------------------------
Ancil Davis

NOW - Jim Bates send me an email about http://www.nongnu.org/tiger/

The system it would run on is a GS1280 Alpha server running Tru64 unix
from HP.

Can this product perform the requirements explained above?

Ralph Banks
HP Account Manager
Department of Transportation
Phone: 301-743-4396
Fax: 301-392-2774
www.hp.com




-----Original Message-----
From: Bates, Jim
Sent: Thursday, February 10, 2005 1:58 PM
To: Banks, Ralph
Subject: RE: Help for something - FAA OKC

Hi Ralph,

I'm not personally experienced with this tool but it sounds like it
might do what you want.

http://www.nongnu.org/tiger/

Jim

-----Original Message-----
From: Banks, Ralph
Sent: Thursday, February 10, 2005 6:52 AM
To: Bates, Jim
Subject: FW: Help for something - FAA OKC


Morning Jim. Please look a requirement from Ancil Davis below and let
me know if you know of a product that can help Ancil requirement.

thanks

Ralph Banks
HP Account Manager
Department of Transportation
Phone: 301-743-4396
Fax: 301-392-2774
www.hp.com

-----Original Message-----
From: ***@faa.gov [mailto:***@faa.gov]
Sent: Tuesday, February 08, 2005 2:25 PM
To: Banks, Ralph
Cc: ***@faa.gov
Subject: Help for something





Ralph,

I gone till friday but I was wondering if you could query some of your
experts for a tool that can get unix group information such as what
groups who is in the group and what directories that group has access
to, permissions.

We can do this with Unix commands but it seems to eat cpu cycles and
slows processing.

We are getting beat up on this from our auditors as not being able to
provide this timely. I'm looking for tool that can do this automated as
a batch but doesn't use to much resources and can be run on demand or at
least within 24 hrs.

--------------------------
Ancil Davis
Sent from my Blackberry
Javier Fernandez-Sanguino
2005-02-15 00:50:52 UTC
Permalink
Post by Banks, Ralph
I need to confirm if you product can help my customer.
Well, the Tiger tool cannot perform the listing you want, although it
could be adapted to do it (since some of the code is already there).
See below.
Post by Banks, Ralph
I gone till friday but I was wondering if you could query some of your
experts for a tool that can get unix group information such as what
groups who is in the group and what directories that group has access
to, permissions.
We can do this with Unix commands but it seems to eat cpu cycles and
slows processing.
The only way to do this (in any Unix system I know of, unless using
MAC controls like RSBAC or SElinux) is to go retrieve the first bits
of information from the group and passwords databases and then go
through the full filesystem in order to review what directories has a
group access to.

Don't know, maybe something like this could do the trick (there are
some caveats, however). The following could be run in the system
(reniced if it's too CPU intensive) and a similar thing could be coded
in C


------------------------------------------------------------------------
#!/bin/sh

# Sample script to list users that have access to directories
# based on the ownership and directory configuration

STARTDIR=/home

getpermit() {
ls -ld $1 |
awk '{
for(i=2;i<11;i++){
c = substr($1, i, 1);
if(c == "-" || c == "S")
printf("0 ");
else
printf("1 ");
}
printf("\n");
}'
}

# TODO: This does not take into account that access might be
# overriden by parent directory

find $STARTDIR -type d -printf "%m %U %G %p\n" |
while read mode uid gid dir; do
umod=`getpermit $dir | awk '{ print $1$2$3 }' `
gmod=`getpermit $dir | awk '{ print $4$5$6 }' `
omod=`getpermit $dir | awk '{ print $7$8$9 }' `
echo "Permissions for $dir:"
cat /etc/passwd | awk -F : '{ print $1" "$3; }' |
while read cuser cuid ; do
found=0
if [ "$uid" = "$cuid" ] ; then
echo -e "\t$cuser (mode: $umod) <owner>"
found=1
elif [ "$gmod" != "000" ] ; then
id -G $user |
while read cgid; do
if [ "$cgid" = "$gid" ] ; then
echo -e "\t$cuser (mode: $gmod)
<group $gid>"
found=1
fi
done

fi
# TODO: this is not necessarily true, if (all) access to the parent dir
# is prohibited this is prohibited
if [ "$found" -eq 0 ] && [ "$omod" != "000" ] ; then
echo -e "\t$cuser (mode: $omod) <other>"
fi
done
done
------------------------------------------------------------------------
Loading...