# groupie - Version 1.1 # # Overview # This program provides a handy dandy front-end for group-based # permission schemes. By setting the permission bits on "important" # executables to 750 (-rwxr-x---), and setting the group ownership to # a reasonable groupname... it becomes possible to control access to # important programs by controlling which users are allowed into which # groups. This program helps manage the users and groups. # # Not all groups need to be managed by groupie. The original intention for # this program was to limit access to licensed and potentially sensitive # software (e.g. database query software, etc.) Note that the group-id # assigned via the passwd file cannot be revoked or changed by groupie. # # When users are granted (or revoked) access to new groups, the changes # become effective for their NEXT login session. Active login sessions # will not be affected by changes in the group file (from a permissions # perspective.) # # Groupie can be used to make modifications directly to the /etc/group # file, or to a group file located elsewhere - if you're concerned about # having a program named "groupie" massage your /etc/group. Groupie does # not make any provisions for NIS/YP. Groupie users will have to perform # the appropriate yppush or "/var/yp/make group" commands manually. # # If group ownership and permissions are set properly, you'll no longer # have to go shoot the weenie who checked out all your Framemaker licenses # when he shouldn't even have access to Framemaker. The janitor won't be # able to fiddle with his stock portfolio using Lotus and Sybase, either. # # Groupie is written in Tcl/Tk. Version 7.3 of Tcl and version 3.6 of Tk # are the current releases... get them if you don't already have them. # The best site for Tcl/Tk stuff is harbor.ecn.purdue.edu, in /pub/tcl. # No Tcl extensions are required for groupie, and as far as I can tell, # there are no conflicts between any Tcl extensions (TclX, blt, itcl, etc.) # and groupie. Please let me know if you find any. # # Tcl/Tk was written by John Ousterhout while at UC/Berkeley. If you don't # know Tcl, then buy his book, read his book. Do not pass GO, do not # collect $200 until you are done with his book. The title is "Tcl and # the Tk Toolkit" and it was published by Addison-Wesley. It is as good # as an O'Reilly book. # # Functional Overview # This is a simple program. If you're getting confused, it's not because # it's complicated... it's because my explanation stinks! Please send me # a note pointing out the confusion so that I can save the next person # from suffering through my lousy explanation. # # There are two cross-reference files that determine which users belong to # which groups. # # The first file, function2group, maps job functions to UNIX group names. # For example, a "stocktrader" job function needs access to sybase, # lotus, reuters, and marketvision. A "programmer" job function needs # access to compiler and guibuilder. A "secretary" needs frame and fax. # # The second file, users2group, maps users to their job functions. Users # may have more than one function. User "jones" has both "stocktrader" # and "backoffice" responsibilities, so he is allowed into the union of # groups defined by "stocktrader" and "backoffice." # # The file $HOME/.groupie, if it exists, is used to hold the location of the # configuration files used by groupie. Absolute pathnames are highly # recommended when defining these files. If $HOME/.groupie does not exist, # then an information-gathering screen will pop up and force the user to # enter the pathnames of the configuration files. # # The groupie program reads these two files and it displays the users and the # groups that they are allowed into. The program then looks for a file # containing custom changes. This "custom changes" file is used to permit # or deny access to particular groups in spite of what the two cross- # reference files contain. The custom changes file merely contains a bunch # of commands that invoke user checkbuttons. Custom changes are immediately # obvious on the main screen since the foreground color of the corresponding # button is changed to orange. # # Groupie permits modifications to the function2group and user2function # files. There are buttons on the main screen to bring up a modification # screen. There are two other buttons on the main screen: one is to erase # all the custom changes (i.e. users' permissions are based solely on the # cross-reference files), and the other is to save the current state of the # main window to the group file. The group file can be either /etc/group # (i.e. the real thing) or a copy of it (i.e. like the one I provided in the # SampleFiles directory.) # # Usage # It doesn't get any simpler than this... the command is "groupie" with no # command line arguments. # # Installation # 1) Install Tcl/Tk if you don't already have it. # 2) Make sure that groupie has execute permission (chmod +x groupie.) # 3) Make sure that the first line of groupie points to the "wish" # executable. # 4) enter the command "./groupie" # 5) If you still have the "SampleFiles" directory supplied with the # groupie distribution, then you can try out the sample files. # 6) If you are not using the real /etc/group file, then you will have # to manually move your group file to /etc/group after you save your # changes. # 7) Edit your group (whether /etc/group or whatever) to include group # names that refer to the software packages you want to control. # The SampleFiles directory gives some reasonable examples. # 8) Groupie does not do yppush, so if you run NIS, then you have to # yppush (i.e. "/var/yp/make group") manually. # 9) Groupie is intended for system administrators, but it is possible # to create a new group that has permission to modify the config # files (including /etc/group) and permission to run groupie if it # makes sense for your permission-control to be performed by a non- # privileged user. # # Limitations # 1) Refer to items 6 and 7 in the Installation section above. # 2) Groupie will never modify permissions or ownership of any files. # 3) Groupie does not create new groups in the group file. It merely # adds usernames to the existing groups. # 4) There is no history file or mechanism to track changes. # 5) There is no nifty front-end to see which files are executable by # which group. I thought of two ways to do this, but I'm not too # excited about either one: # a) using "find", but it won't work in a network environment # and it would kill disk performance whenever it ran # b) using another configuration file... but that's just # another headache to keep track of # My hope is that your group names make it clear exactly which files # are accessible by each group. # 6) If you are running an old version of NFS (i.e. before 4.0), then # users are limited to a maximum of 8 groups. Newer NFS implementations # support 16 groups. If you get "NFS getattr failed/RPC Authentication" # errors, then you may be over the limit. # 7) Group entries are limited to 1024 characters if you run NIS. # # History # 10/06/94 Originally designed and cranked out by Peter Grina while his # family was traipsing around in sunny Italy. # 10/27/94 Version 1.0 released # 11/08/94 Version 1.1 - catch error if the initial touch command fails on # a configuration file. Added some more pearls of wisdom to this # fascinating documentation section. # # Support and Bug Fixes # This version of groupie is distributed as free software. Support will # be provided via EMAIL (consult@grina.com, or grina@cnj.digex.net) on a # whenever-I-have-time basis. I plan to provide bug fixes (at the very # minimum) for this program. # # Please contact me if you need a guaranteed support contract, if you need # custom modifications, etc. # # Peter A. Grina - Consulting # 456 South Horizon Way # Neshanic Station, NJ 08853 # # email: consult@grina.com # -or- grina@cnj.digex.net # fax, answering machine: (908) 369-6852 # # Once again, PLEASE USE EMAIL FOR SUPPORT QUESTIONS AND BUG REPORTS (unless # you have a support contract.) # # Copyright Notices # The groupie distribution is covered by the following copyright: # Copyright(c) 1994, Peter A. Grina. All rights reserved. # # The permission to use and the disclaimer for groupie are the same # as those for Tcl/Tk, but substitute "Peter A. Grina" in place of # "University of California," and take note that I don't have any Regents. # # The Tcl/Tk distribution is covered by the following copyright: # Copyright (c) 1991-1993 The Regents of the University of California. # All rights reserved. # # Permission is hereby granted, without written agreement and without # license or royalty fees, to use, copy, modify, and distribute this # software and its documentation for any purpose, provided that the # above copyright notice and the following two paragraphs appear in # all copies of this software. # # IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR # DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING # OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE # UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH # DAMAGE. # # THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS # ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION # TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # #EOF (end of fluff)