Managing Users and Groups

As with any operating system, one must administer users and groups. On most UNIX systems, the user with unlimited privilege and responsibility is the root user, also known as the superuser. In IPSO, the user admin takes the place of the root user but has all the same privileges. Whenever you need to make changes to your NSP, you log in as admin because this account has read/write capability to system configuration files and full system access. In this section, we show you how to change the password on your admin account, how to create and delete user accounts, and how to configure groups on your UNIX system.

Users

To manage users on your Nokia system, log in to Voyager and click Config. From here, click Users under the Security and Access Configuration heading. You should be presented with a screen like the one shown in Figure 20.11.

Figure 20.11: Managing Users

The admin User

As mentioned previously, the admin user is the superuser on the system. If you review some of the settings for admin in the User Management display, you will see that admin has a UID and a GID of 0. UID stands for user ID, and GID stands for group ID. These ID values determine that the admin user has superuser privileges on the system. These values mean the same thing on almost all UNIX systems. Other information listed on this page is the host directory, which is /var/admin, and the shell that admin uses—/bin/csh, pronounced "C-shell."

You configure a password for the admin user during the initial configuration of your Nokia platform. If you want to change the password for this user, follow this procedure:

1. From the User Management screen, fill in the Old password, New password, and New password (verify) fields, as shown in Figure 20.11.

2. Click Apply.

3. Click Save and you will be presented with a login prompt to reauthenticate.

4. Enter admin and the new password.

5. Click Save again, if the option is still available.

You have the option of accepting or requiring S/key authentication for the admin user on this screen as well.

The monitor User

The monitor user is available in IPSO as a read-only user. Once this user is enabled, you can log in as monitor through Voyager to view system configuration and resources, but you cannot make any changes to the configuration. This account is predefined in Voyager with the following values:

• Name: Monitor

• UID: 102

• GID: 10

• Home Directory: /var/monitor

• Shell: /bin/csh

• Password: None (cannot log in)

By default, the monitor user has no password and cannot log in to the system. To enable the monitor user visible in Voyager, fill in the new password fields and click Apply and then click Save.

Other Users

You can create other users to log in to the IPSO system and Voyager. If you create a user with UID 0, that user will have read/write access through Voyager and the same permissions that the admin user has in IPSO. Other read-only user accounts can be created too. Simply use a new UID for each new account. To create another user from the User Manager configuration screen:

1. Scroll down to the Add new user section and type a username, UID, and home directory for the new user. For another superuser, enter a UID of 0.

2. Click Apply.

3. Next, enter a password into the New password text boxes for the new user and click Apply again.

4. Click Save.

Users without admin access will not be able to run the new command-line shell CLISH, but they can log in to IPSO and run commands to view system resources and configuration settings. These users will not be able to make any changes that will affect the system. If you would like to give some of these users certain privileges, you could do so by setting up groups, which is discussed in the next section.

You can view the users who are logged in to your system with the command w. If you type w while logged in to your Nokia, you should see output similar to the following. This output includes the current time, the time that has passed since the system was last rebooted, the number of users logged in to the system, and the system CPU load average over 1-, 5-, and 15-minute intervals.

gatekeeper[cherie]# w 10:28PM  up 2 days, 11 mins, 4 users, load averages: 0.03, 0.05, 0.00 USER     TTY FROM              LOGIN@  IDLE WHAT admin    d0  -                Thu10PM 11:09 -csh (csh) monitor  p0  10.10.10.3       Fri07PM  1:26 -csh (csh) fwadmin  p1  10.10.10.3        9:01PM     - -csh (csh) cherie   p2  10.10.10.3       10:28PM     - w

Groups

One way that you can give privileges to users without giving them carte blanche access to your system is to create groups of users. Then you can assign certain permissions to these groups, so that any user who is a member of the group will have the ability to perform certain functions. For example, if you are running Check Point FireWall-1, only admin users can run the programs in $FWDIR/bin. However, if you want to allow a couple of other users the ability to log in and stop or start firewall services or add licenses to the firewall (FireWall-1 4.1 only), you could create an fwadmin group (see the Group Management screen in Voyager in Figure 20.12). After the group is created, you can go into the cpconfig utility and set group permissions on the $FWDIR directories. If you have Check Point FireWall-1 4.1 installed, follow these steps to set up group permissions on your Nokia firewall:

Figure 20.12: Group Management

1. Log in to Voyager and click Config.

2. Click Groups under the Security and Access Configuration heading.

3. Fill in the Group Name: fwadmin under the Add Group Name heading and enter a new GID of 100. See Figure 20.12 for an example.

4. Click Apply. You will now see a new group listed along with the default groups other and wheel.

5. The next step is to add users to your fwadmin group. To do this, enter an existing user account into the field labeled Add new member. For our example, let's add a user called sysadmin that was created previously.

6. Click Apply and then click Save.

7. Now log in to IPSO as admin and run cpconfig. You will be presented with the following options:

   gatekeeper[cherie]# cpconfig This program will let you re-configure your Check Point products configuration.         Configuration Options: ---------------------- (1)  Licenses (2)  Administrators (3)  GUI clients (4)  SNMP Extension (5)  Groups (6)  PKCS#11 Token (7)  Random Pool (8)  Certificate Authority (9)  Automatic start of Check Point Products     (10) Exit     Enter your choice (1-10) : 

8. Enter 5 to configure groups. You will be presented with the following output:

   Configuring Groups... ===================== Check Point access and execution permissions ------------------------------------------- Usually, a Check Point module is given group permission for access and execution. You may now name such a group or instruct the installation  procedure to give no group permissions to the Check Point module.  In the latter case, only the Super-User will be able to access and execute the Check Point module.     Please specify group name [<RET> for no group permissions]:

9. Type fwadmin and press Enter.

10. The system will ask, "Group fwadmin will be used. Is this ok (y/n) [y]?" Press Enter to accept the default value y for yes.

11. The group permissions will then be set on the $FWDIR directories, and you will see the confirmation message, "Setting Group Permissions... Done." on the screen. Then you will be presented with the cpconfig menu again, as in step 7. Type 10 to exit the configuration tool.

12. You will now be presented with the option of restarting FireWall-1 services. Press Enter to accept the default setting y for yes.

In order to set group permissions on files and directories from the command line, use the chgrp tool. For example, if you want to set the fwadmin group on all files and directories under the $FWDIR/bin directory, you could change directories into the $FWDIR directory and issue the command chgrp –R fwadmin bin. The capital R will cause a recursive change on all files and directories under the bin directory, inclusive.

Two groups are created by default on your Nokia Security Platform: the other group and the wheel group. Any users without full system access, such as monitor, will be members of the other group by default. Your admin user will be a member of the wheel group. If you want your other users to have the ability to use the su command (this command, short for superuser, allows users with limited privileges to become the admin or superuser on the system), you will need to add them into the wheel group.