This chapter contains information on the tasks and tools that allow you to add and remove user accounts and set the level of security on your workstation. It covers the following major topics:
You can use the “Improve System Security” guide to help control the level of security on your system. See “Improve System Security” for further information.
The System Manager provides several options to help you, as the Administrator for your system, improve the system's security. In general, improving security means controlling and limiting access to the system by other users, including local users or users on remote systems on the network.
The “Improve System Security” guide lets you make the following settings:
Assign a password to the root account, if it doesn't already have one.
The most important method for improving security is creating a password for the root account. If the root account does not have a password, any person can log in to the root account and deliberately or inadvertently destroy files or directories that are essential for the system to operate.
Note: Make sure you remember the root password. The system does not provide a way to log in to the root account without its password. Assign passwords to each active user account on the system or lock unused accounts to prevent unauthorized people from logging in.
For active user accounts (accounts that are not locked and do not have a password), you can either ask each user for a preferred password or simply assign a password, which can be changed by the user later using the “Modify My Account Password” guide (available in the User Manager). For user accounts that are not currently being used, you can lock them to prevent unauthorized people from trying to use the accounts to log in to the system.
Disable Java or JavaScript for each user account, including the root account.
Java and JavaScript are commonly used programs that support certain features of the World Wide Web. When you use a browser to visit a Web site, your system can download and run a Java program without your being aware of it. Once on your system, the program has access to and can corrupt your files and directories. By disabling Java and JavaScript for a user account, you prevent this type of access.
Note: If the root account on the system does not have a password, your system is particularly vulnerable to Java and JavaScript programs. Make sure you either assign a password to the root account or disable Java and JavaScript for the root account. Disable logins to NIS accounts.
When you create a user account on the system, you have the option of creating a network access account if the system is connected to a network and if NIS is being used on that network. (See “Add a User Account”.) Users on the network can use those NIS accounts to log in to your system if NIS is turned on. If you want to limit access to your system to local users only, you can disable logins to NIS accounts.
Use shadow passwords.
When you create passwords for user accounts on the system, the system encrypts the passwords and places them in a special file. Any user on the system can view the file and see the encrypted passwords. This gives a user the opportunity to possibly decipher the passwords, thereby gaining unauthorized access to another user's account. To prevent any user but root from viewing the password file, you can have the system use a shadow password file. (A shadow password file contains encrypted passwords.)
Require passwords at login.
By requiring passwords, you can ensure that unauthorized people can't gain access to the system using an open user account. An open user account is an account that is neither locked nor has a password assigned to it. (As a rule, it's a good idea to either lock an account or assign a password to it.)
Disable the Visual Login Screen.
When you start up your workstation, by default you see a login screen with the names of all the user accounts on the system. (You may also see photographs representing user accounts, depending on how users customize their accounts.) By displaying information about the users, the login screen may provide information that unauthorized people can use to gain access to one or more of the user accounts. To prevent this from happening, you can disable the Visual Login Screen.
Disable privileged users.
The Privilege Manager, available in the System Manager, allows the Administrator to assign selected privileges, normally assigned only to the root user, to other users on the system. Depending on the privileges assigned, these other users may be able to affect essential operations of the system. To prevent this from happening, you can disable privileged users from being able to execute privileged Administrator tasks.
Protect new users' files.
This setting means that when you create a new user account on the system, the account's files are protected from other users on the system. Other users can view the account's files but only the owner of the account can make changes to the files.
Disable remote display.
By disabling remote display, you prevent applications running on remote systems from being able to display on your system's screen. Users can override this setting for their own login session on your system. See the disableXhost(1) reference (man) page for details.
Disable IP forwarding.
IP forwarding allows systems on a network to share information, such as hostnames and IP addresses, about one another. Unauthorized people may be able to use this information to breach the security of systems on the network. To prevent your system from sharing information about itself with other systems, you can disable IP forwarding.
Disable the Outbox Web Server.
The Outbox Web Server provides Intranet home pages for your system. You can view your Outbox page by selecting Internet > Browse > OutBox Page. You can also publish documents that they want others to be able to browse. (Click the help button provided on your Outbox Page for more information.) You may want to disable your Outbox Web Server to prevent other users from gaining information about or access to your system.
To open the “Improve System Security” guide, open the System Manager (if it isn't already open), select the Security and Access Control category, and click “Improve System Security.”
This section contains these topics:
For information about different user types and access privileges, see “About User Privileges” in Chapter 1.
Each person who uses this system regularly must have a personal login account. A login account gives a person a unique work area on the system (a home directory) where the person can store files and customize the desktop environment. The system automatically labels the work area and all files that the person creates with the person's login name. Each time a user begins a session on the system, the user types a login name and, if necessary, an associated password. For more information on logging in, see “Logging In to Your System” in Chapter 1. For information on creating a user login account, see “Add a User Account”.
The login account can also include a picture of the person. The picture represents the person's account as an icon on the login screen; the user can double-click the picture to log in to that account. For instructions on how to add a picture to a login account, see “Adding a Picture to a Login Account”.
In a situation where you want to share files freely with only some people who have accounts on the system, you can create a user group. The system lets you grant read, write, and execute permissions for a file or directory to three types of users: the file's owner, the members of a specific group of users, and all other users. Once you create a user group, you can set the permissions on all or some of your files so other members of your group can view or change them. For information about user groups, see “Managing User Groups”.
In a large, networked environment, the network administrator maintains a list of user login account information, and makes sure that no two people have the same user login name. Before you create login accounts in such an environment, consult with the network administrator.
Whenever you change account information about a person who has a login account on more than one system on the network, the person's account information is updated on only one system; the information on other systems remains unchanged.
If your network uses the optional NIS network management software, the network administrator maintains a master database of login account information on a special system called the NIS master. Only the network administrator can change information on the NIS master.
When you create a login account for a person whose account information is in the NIS master database, the “Add a User Account” guide does the following:
It fills in the appropriate information with information from the NIS database. For example, it fills in the user ID and the user's primary group. You can change this information for any account, and the account's owner can change some of this information. However, the changes apply to the local system only; they do not change the information in the NIS database.
It marks the account as a Network Access account. This means the person can log in to the system only when the network is working correctly and NIS is running.
If a person needs to log in to the system when it's not connected to the network (for example, if a person takes the system home for a period of time), you can convert the account by using the instructions in “Converting Between a Network Access Account and a Local Account”.
If your network uses the optional NIS software, the network administrator maintains a master list (located on a system on the network called the NIS master) of all users on the network and their account information. When you create an account on your system, the system automatically checks the NIS master to see if a user account with the same name exists in the master list. If it does exist, you have the option of making the account a network access or local (standalone) account. If it doesn't exist, you can make the account only a local (standalone) account.
When you create a network access account, that account's information is stored in the master list on the NIS master system. This means you can log in to your account on your system only when your system is connected to the network, and the NIS master system is up and running.
When you create a local access account, your system finds your account information on your own system. This means you can log in to the system regardless of whether it's connected to the network.
The User Manager displays the following information about existing user login accounts on the system.
The Login Name column shows the login name of each user.
The Full Name column shows the real name of the person who owns the login account.
The Group Name column shows the group to which the user belongs.
The User Manager also provides access to guides that let you add, modify, and delete user accounts, as well as assign and change user account passwords.
You can use the Get Info button to display detailed information about a user account. See “Viewing User Login Account Information” for more information.
You can create and add users to a group, but not delete users from groups or delete groups. See “Managing User Groups” for this information.
The Task menu contains these choices:
“Add Account” opens the “Add a User Account” guide, which lets you create a new user account on the system. This command is equivalent to the Add button. See “Add a User Account” for more information.
“Remove Account” opens the “Remove a User Account” guide, which lets you delete an existing user account from the system. This command is equivalent to the Remove button. See “Remove a User Account” for more information.
“Change Password” opens the “Modify Any Account Password” guide, which lets you change the password on a user's account. This command is equivalent to the Password button. See “Modify Any Account Password” for more information.
“Edit Account” opens the “Modify a User Account” guide, which lets you make changes to an existing user account on the system. This command is equivalent to the Edit button. See “Modify a User Account” for more information.
“Configure Auto Login” opens the “Configure Auto Login” guide, which lets you enable or disable automatic logins. When you enable auto login for a specific login account, that account is automatically opened when the system starts up.
“Configure Login Window” opens the “Configure Login Window” guide, which lets you control the display of the graphical login window (also known as the visual login window).
“System Manager” opens the System Manager window, which gives you access to all of the system administration interactive guides.
“Close” closes the User Manager window. Any changes you made using the guides are saved. This command is equivalent to the Close button.
The Help menu contains a list of help topics. To view a topic, choose it from this menu.
You can use the User Manager and the interactive Guides available through the System Manager to view, add, modify, or remove user accounts as well as to set or modify user account passwords. Click on one of these links for more information:
You can use the “Add a User Account” guide to create a user login account for a person. If your system is connected to a network, contact your network administrator for an approved login name and user ID; see “About User Login Accounts on the Network”.
If the System Manager is not already open, start it by choosing “System Manager” from the System toolchest. Select the category “Security and Access Control” and then click “Add a User Account.” The guide leads you through the necessary steps to create a new user login account.
After you create an account, an icon labeled with the user login name and other account information appears in the User Manager window and, when you log out, the icon appears on the login screen. The user can then log in to the account to use the system.
If you do not want this account to appear on the login screen, see “Configure Login Window”.
When you delete a login account from your system, the person who owns that account can no longer log in to your system. If the person has accounts on other systems, he or she can still log in to those systems.
You can delete a login account using the “Remove a User Account” guide. If the System Manager is not already running, open it by choosing “System Manager” from the System toolchest. Select the “Security and Access Control” category from the Table of Contents and then click “Remove a User Account.”
You can change system account information only for the system on which you are running the “Modify a User Account” guide.
If the System Manager is not already running, open it by choosing “System Manager” from the System toolchest. Select the Security and Access Control category and then click “Modify a User Account.” The guide leads you through the necessary steps to modify a user account.
You can create, change, or delete a user account's password. Any user can change the password on his or her own account. The root password is required to change the password on the root account.
To check if a user account has a password, you can open its User Account Info window. In the System Manager, choose “Security and Access Control” and then click “User Manager.” In the User Manager, select the user account and click the Get Info button. (You can also double-click the user account.) The User Account Info window for that account appears. If the account does not have a password, you see the word “No” next to “Password Set.” If the account has a password, you see the word “Yes.”
To create, change, or delete a password on an existing account, use the “Modify Any Account Password” guide. If you want to create, change, or delete the password for your own account, use the “Modify My Account Password” guide; the guide automatically selects your account to modify. You can access both of these guides from the “Common Tasks” field in a User Account Info window.
You can create, change, or delete your own account's password. Only you, the root user, and other privileged users can change the password on your account. The root password is required for root and non-root privileged users to change password on your account.
You can view information about user login accounts in the User Manager:
If the System Manager is not already open, start it by choosing “System Manager” from the System toolchest.
Select the category Security and Access Control.
Click “User Manager.”
Select the name of a user account and then click the Get Info button.
A User Account Info window appears and displays the user's login name, the user's full name, account type, password status, user ID, primary group, home directory, and default shell program.
When you add a picture to a user's login account, the picture appears in the login screen and the user can double-click it to log in to the system.
Follow these steps to add a picture to an account:
Ask the user to store a photo in a file on the system by either of these methods:
Use the Media Recorder tool to take the picture (if the system has a Digital Camera). To use the tool, click the word Media Recorder, and use its online help. (Clicking the word does not start the tool unless the tool is already installed on your system.)
Scan in an image on a system that has a scanner. Save the image in a Silicon Graphics Image file format.
Give the file the same name as the user's login name. For example, if the user's login name is “Mary” and she gives you a file named mary.rgb, rename the file mary.
Drag the file into the /usr/local/lib/faces directory.
Note: If /usr/local/lib/faces is not a local directory (that is, if it is an NFS-mounted directory), startup time is noticeably slower for applications that use the photo.
When you create a login account, you specify whether it should be a local (standalone) or network access account. At a later time, you may decide you want to convert the account from a network access account to a local account, or vice versa. For example, you may have set up a user login account on a system before it was connected to the network or before you installed and started running the optional NIS software.
Follow these steps to convert an account:
Open the User Manager by selecting the Security and Access Control category in the System Manager, and then clicking “User Manager” in the right-hand column.
Select the name of a user account and click the Get Info button.
A User Account Info window appears and displays information about the user account. Write down the user's primary group and home directory, and then close the User Account Info window.
Click Remove in the User Manager window.
The “Remove a User Account” guide appears and lets you remove the existing user login account.
Caution: Make sure you do not delete the user's files. Choose “Ignore the Files” when removing an existing account. If you are converting a local account to a network access account, give the network administrator the person's full name and login name. The network administrator uses this information to create a network access account on the NIS master system.
Re-create the deleted account using the “Add a User Account” guide. Use the same login name as before, but choose a different type of account (local or network access). Make sure that you use the user's previous home directory and that you use the previous user ID.
The person can now log in to the converted account. Remember that if the account is a network access account, the user can log in only when the system is connected to the network and NIS is running.
To create, change, and delete user groups, you must know the root password. Once the group exists, group members can use the “Modify File Permissions” guide to change permissions on their own files and directories to let other members of the group read or edit the files.
A person can belong to several groups, but only one group on this system is the person's primary group. To specify a person's primary group, see “Modify a User Account”.
Click on one of these topics for more information:
You can create a new group by editing the file /etc/group.
| Note: Do not change information for any of the special system groups that were on your system when it was new (groups with ID numbers between 0 and 100 and over 900). They are critical to system operation; changing them makes the system inoperable. |
To edit /etc/group, follow these steps:
Log in as root through a shell window.
Choose “Open Unix Shell” from the Desktop toolchest.
Position your cursor within the new window and enter
login root
If a prompt for a password appears, type the root password then press Enter. If a prompt appears but the root account has no password, just press Enter.
Edit the file.
Open the file with a text editor such as jot by typing
jot /etc/group
Then press Enter. For detailed information on using the jot text editor, choose a topic from its Help menu.
After the last line in the file, add a line that specifies the name and ID number of the new group. The entries that you see have this form:
group name:password:group ID #:members
The password and list of members is optional.
Create a name for your group that consists of eight or fewer lowercase letters and does not match any of the group names that you see in this file. Then choose a group ID number between 101 and 899 that does not match any of the group IDs in this file. For example, to create a group named drafting with an ID number of 105, add this line:
drafting::105:
Save your changes and quit jot.
Log out of the root account by typing
logout
Then press Enter. The shell window disappears.
You now have a new group that has no members. To assign users to this group, see “Adding Users to a Group”.
The Administrator typically adds users to or deletes users from a group. When you delete a user from a group, you do not delete that person's login account. The person no longer belongs to the group, and cannot access files that other group members have marked as accessible by group members.
| Note: Do not assign a user to any of the special system groups that were on your system when it was new (groups with ID numbers between 0 and 100 and over 900). They are critical to system operation; assigning a regular user to these groups severely compromises stable operation. |
Usually a user can belong to only one group.
You can assign a user to a new group and make it the user's primary group by using the “Modify a User Account” guide.
To assign a user to a new group, follow these steps:
Open the “Modify a User Account” guide.
If the System Manager is not already running, open it by choosing “System Manager” from the System toolchest. Select the Security and Access Control category and then click “Modify a User Account.”
Choose the name of the user account whose user ID you want to change.
On page 8 of the guide, assign a new primary group to the user account.
Click OK on the last page of the guide to implement the changes.
Ask the user whose group ID you changed to log out, then log back in.
When that user logs in, new files and directories will be labeled with the new group name.
The user whose group ID number you changed will now have read and execute permissions on all files created by members of the new group (unless a group member changes permissions on individual files).
When the Administrator deletes a group from your system, the group is no longer available for membership. This means people who used to belong to the group still have active user login accounts, but they are no longer members of a common group.
To delete a group, follow these steps:
Assign each member in the group you are deleting to another, pre existing group, so that there are no users using the group that you are going to delete. See “Adding Users to a Group”.
Log in as root through a shell window.
Choose “Open Unix Shell” from the Desktop toolchest.
Position your cursor within the new window and type
login root
Then press Enter.
If a prompt for a password appears, type the root password then press Enter. If a prompt appears but the root account has no password, just press Enter.
Edit the /etc/group file.
Open the file with a text editor such as jot by typing
jot /etc/group
Then press Enter. For detailed information on using the jot text editor, choose a topic from its Help menu.
Find the line that describes the group you want to delete. The entries that you see have this form:
group name:password:group ID #:members
Remove the line.
Save your changes and quit jot.
Log out of the root account by typing
logout
Then press Enter. The shell window disappears.
Ask all users who previously belonged to the group to log out, then log back in.
When they log in, new files and directories that they create will be labeled with the name of the new group to which you assigned them.
The group no longer exists. To create a new group, see “Creating a User Group”.
You can use the login-related interactive Guides available through the System Manager to configure the login procedure and the login window. Click on one of the links below for more information on that topic:
This guide allows you to designate a user for the auto login feature, which causes the system to bypass the login window and log in that user every time the system starts up.
In locations where security is an issue, it is generally not a good idea to enable the auto login feature.
A Privileged User can specify which accounts appear in the login window. By default, the login window shows only people who have a home directory on the system.
There are a number of administrative accounts on every system that are required by the system in order to run correctly. Typically no one should log in to those accounts; the manufacturer recommends that you do not display them in the login window.
A privileged user can use the Configure Login Window guide to customize the login window in a number of ways, including its size, the accounts displayed, and the way the various accounts are displayed.
Every time you create a new file, the system automatically identifies you as the file's owner, and assumes that you don't want other users on your system to change the file but you do want others to be able to read its contents. In this way, the system sets ownership and permission settings for the file.
Use the Permissions Manager to set and change file and directory ownership and access on your workstation. For further information, see “Permissions Manager”.
Each file on the system is owned by one login name, and has a list of who can and cannot access the file in different ways. You can use the permissions manager to set and change file and directory permissions.
When you set permission settings for a file or directory, you divide users on your system into three categories: you (the file's owner), your group, and everyone else.
The concept of a group is important in working environments that require an added level of privacy. For example, suppose you are part of a team that is working on a new product. You need to share files with others on the team, but you don't want people outside of the team to view or modify these files. You form a group. See “Creating a User Group” to learn how to establish and modify groups.
You can grant varying levels of permission settings for files and directories. The three levels for files are read, write, and execute.
Read allows other users on your system to view a file but does not allow them to edit it.
Write allows other users on your system to make changes to files.
Execute allows other users on your system to run applications and commands.
The three levels for directories are read, write, and execute.
Read allows other users on your system to view the files in a directory.
Write allows other users on your system to place files inside or delete files from the directory.
Execute allows other users on your system to pass through a directory on their way to another directory, and to view and search their contents.
For further information on the Permissions Manager, click on the appropriate link:
“How To” contains details on how to perform tasks with the Permissions Manager.
“Permissions Manager Reference” contains details on the Permissions Manager graphical interface
Click on one of the links below to find out how to perform that task in the User Manager:
The Permissions Manager allows you to change the permissions on one or more files and directories. Follow these steps to change permissions on a file or directory:
Open the Permissions Manager.
If the System Manager is not already running, open it by choosing “System Manager” from the System toolchest. Select the Security and Access Control category and then click “Permissions Manager.”
Drag and drop files and directories into large text area labeled “Files and Directories” in the middle of the Permissions Manager window.
Text fields showing the file's current ownership appear in the User Name and Group Name fields. To see a list of all users, edit the /etc/passwd file. To see a list of all groups, edit the /etc/group file.
Current permissions appear in the boxes labeled “Read,” “Write,” and “Execute.”
To change ownership of the file or directory, type a different user name or group name in the text field. This entry can be the name of a local or NIS user or group. If you leave the text field for user or group blank, it will revert to its original setting.
Click the boxes labeled “Read,” “Write,” and “Execute” to add or remove permissions.
r, w, x in the box indicates permission has been granted; a colored dash (-) indicates permission has been revoked.
Use the text fields and boxes beneath the colored area to change permissions or ownership for all of the files and/or directories currently listed in the /etc/passwd or /etc/group files.
The Permissions form lets you find out who owns a file or directory:
Select the file or directory icon.
Choose “Change Permissions” from the Selected toolchest.
The Permissions Manager window appears. The name of the file's owner appears in the User Name text field.
You can use the Permissions Manager to limit access to your files by other users (in other words, users who are not members of your group). See “Permissions Manager” for an explanation of groups.
To prevent other users from viewing, making changes to, or executing (running) a selected file you own, follow these steps:
Select the file and choose “Change Permissions" from the Selected toolchest.
If the file does not appear in the window, drag and drop it in the Files and Directories section of the window.
In the field labeled “Others,” click the “Read,” Write” and “Execute” boxes so that a colored dash (-) appears in each.
Caution: Do not remove your ability to access the file; in other words, do not click the boxes in the User field. Click the Apply button at the bottom of the window.
Other users will no longer be able to view, make changes to, or execute (run) the file or directory you selected.
The Permissions Manager contains the following global text fields and individual text fields.
Global text fields appear next to “Change all files/directories:” at the bottom of the Permissions Manager window. You can use them to set the owner (user) and group permissions for all files and directories listed in the /etc/passwd or /etc/group files. For example, if you set the user owner to root, all files and directories listed in the /etc/passwd file are assigned the user owner root.
The User Name text field allows you to set the user owner for all files and directories.
The Group Name text field lets you set the group owner for all files and directories.
The read/write/execute toggles allow you to turn the read, write, and execute permissions on or off for all files and directories. A dash (-) indicates that the permission is turned off; a letter (r for read, w for write, and x for execute) indicates permission is turned on; an empty toggle indicates that the permissions for all files or directories have not been set globally and are mixed (for example, one file is writable, but another is not).
Individual text fields appear in the main field in the Permissions Manager window. They allow you to set the owner and permissions for individual files and directories.
The Group Name text field lets you set the group owner for an individual file or directory.
The read/write/execute toggles allow you to turn the read, write, and execute permissions on or off. A dash (-) indicates that the permission is turned off; a letter (r for read, w for write, and x for execute) indicates permission is turned on. When you change the permissions, the color of the letter is different from the default. (The exact color differs depending on your desktop color scheme; the standard colors are black for existing permissions, red for changed permissions.)
The action buttons have the following functions:
Add File To List - Launches the File Browser, which allows you to add files to the list displayed in the Files and Directories field
Remove Selected Files From List - Removes the files and directories that you have selected from the list
Apply - Applies the changes you have made in the Permissions Manager window
Reset - Changes all of the toggles and menu buttons back to their original values
Cancel - Closes the window
You can use the Shared Resource Manager or the interactive Guides available through the System Manager to decide which of your workstation's files and devices are available to remote users. Click on one of the links below for more information on that topic:
The Shared Resource Manager displays which directories, media, and printers on your workstation are currently being shared (in other words, made available to remote users on other workstations on the network).
You can use the Directory, Media, or Printers buttons in the Shared Resource Manager to share any of your local resources with other users on the network. Selecting a resource in the list and clicking the Stop Sharing button removes the resource from the list and prevents it from being shared.
For further information on the Shared Resource Manager, click on the appropriate link:
“Sharing Media Devices and Printers With Other Systems” contains details on sharing media devices and printers.
“Shared Resource Manager Reference” contains details on the Shared Resource Manager graphical interface.
When you share media devices or printers with other systems, users on those systems can open the media device or printer icon on their own desktop and access it as if the device resided on their own system.
| Note: You may not be able to share devices connected to systems running IRIX version 5.3 or 6.2. |
To share a media device or printer so users on other systems can access it, follow these steps:
Select “On This Workstation” from the Shared Resources menu in the Desktop toolchest.
The Shared Resource Manager appears.
Click on the Media or Printers button.
The Share Removable Media or Share Printers guide appears.
Note: If your system requires a root password, you will be asked to enter it first. Follow the instructions in the guide to share the device or printer.
After you complete the task, you can check to make sure the directory is shared by selecting “On This Workstation” from the Shared Resources menu in the Desktop toolchest. This opens the Shared Resource Manager that displays all the shared resources on your system.
The Shared Resource Manager contains these items:
| Resource List | Lists all the resources of your workstation currently being shared (in other words, made available to other users on the network). | |
| Directory button | Launches the Start Sharing a Directory guide. For further details, see “Start Sharing a Directory”. | |
| Media button | Launches the Share Removable Media guide. For further details, see “Start Sharing Removable Media Devices” in Chapter 3. | |
| Printers button | Launches the Start Sharing Printers guide. For further details, see “Start Sharing Printers” in Chapter 3. | |
| Stop Sharing button | Launches the Stop Sharing guide for whichever item you have selected (Stop Sharing Directory guide if you have selected a directory, and so on). For further details, see “Stop Sharing a Directory”, “Stop Sharing Removable Media Devices” in Chapter 3, or “Stop Sharing Printers” in Chapter 3. | |
| Action buttons | Close closes the window; Help launches the help for the Shared Resource Manager. |
When you share directories with other systems, users on those systems can open the directory on their own desktop and access it as if the directory resided on their own system.
To share a directory so users on other systems can view or change its contents, follow these steps:
Select the directory you want to share and choose “Share with Network” from the Selected toolchest.
The “Start Sharing a Directory” guide appears.
Follow the instructions in the guide to share the directory.
After you complete the task, you can check to make sure the directory is shared by selecting “On This Workstation” from the Shared Resources rollover menu in the Desktop toolchest. This opens the Shared Resource Manager that displays all the shared resources on your system.
You can also share files and directories on the Web using OutBox by choosing “Publish to Outbox” from the Selected toolchest.
When you stop sharing directories with other systems, users on those systems can no longer open the directory on their own desktop and access it as if the directory resided on their own system.
To stop sharing a directory, follow these steps:
Select the directory you want to stop sharing and choose “Stop Sharing” from the Selected toolchest.
The “Stop Sharing a Directory” guide appears.
Follow the instructions in the guide to stop sharing the directory.
After you complete the Stop Sharing a Directory task, you can check to make sure the directory is not shared by selecting “On This Workstation” from the Shared Resources menu in the System toolchest. This opens the Shared Resource Manager that displays all the shared resources on your system.
For further information, see “Start Sharing a Directory” and “Shared Resource Manager”.
If you have the optional NFS software installed and turned on (to check, see “Set Up and Start NFS” in Chapter 5), you can let people who are logged in to other systems on the network access specific directories on your system from their local desktops. This is called sharing a directory, and it essentially means you are sharing your disk space.
You need to perform two separate tasks to share a directory:
Use the “Permissions Manager” to make the directory that you want to share accessible to other users. Click the icon for the directory that you want to share, then click the right mouse button and choose Change Permissions.
Use the “Start Sharing a Directory” guide to share the directory with other users on the network. To open the guide, choose System Manager from the System toolchest, select the Security and Access Control category, and then click “Start Sharing a Directory.” The guide appears and leads you through the necessary steps.
To stop sharing a directory, use the “Stop Sharing a Directory” guide, available in the Security and Access Control category in the System Manager.
You can also access the “Start Sharing a Directory” and “Stop Sharing a Directory” guides from the Shared Resources Manager, available in the Security and Access Control category in the System Manager.
The Privilege Manager and related guides let you, as the Administrator of your system, determine whether other users on the system can perform system administration tasks. You do this by enabling privileges on your system and then assigning privileges, either all of them or selected ones, to individual users. You can also delete privileges for individual users or disable privileges for the entire system (this prevents any user but the Administrator from performing system administration tasks).
| Note: If the root account on your system does not have a password, privileges are enabled by default. This means that any user on the system can perform system administration tasks. |
To open the Privilege Manager, choose System Manager from the System toolchest, select the Security and Access Control category, and then click “Privilege Manager.”
By enabling privileges on your system, you assign a set of default privileges to all the users on the system. These default privileges allow users to view information about the system.
Click on one of the links below for more information on that topic:
When you open the Privilege Manager, you see the currently assigned privileges on the system. (If the window is empty, it means that the root account does not have a password or that you haven't enabled privileges on the system.)
See “Privilege Manager Reference” for details on the Privilege Manager graphical interface.
The Task menu contains these choices:
“Grant Privileges to a User” opens the “Grant Privileges to a User” guide, which allows you to assign all or selected privileges to individual users. This command is equivalent to the Grant button. See “Grant Privileges to a User” for information.
“Revoke Privileges from a User” lets you remove selected privileges from individual users. This command is equivalent to the Revoke button. See “Revoke Privileges From a User” for information.
“Enable Use of Granted Privileges” enables users who have been granted privileges to use them. This command is equivalent to the Enable button. See “Enable Use of Granted Privileges” for information.
“Disable Use of Granted Privileges” prevent users from using privileges that they may have previously been granted. The command prevents any user except the Administrator from performing system administration tasks. This command is equivalent to the Disable button. See “Disable Use of Granted Privileges” for information.
“System Manager” opens the System Manager window, which gives you access to all of the system administration interactive guides.
“Close” closes the Privilege Manager window. Any changes you made using the guides are saved. This command is equivalent to the Close button.
The View menu contains these choices:
“By User” lists the privileges for each user account on the system. It also lists the privileges available to all users on the system; see “Controlling System Administration Privileges” for more information.
“By Privilege” lists each privilege available on the system and includes the names of the users on the system who have been assigned the privilege. It also lists whether a privilege is a default privilege and thus automatically assigned to every user on the system; see “Controlling System Administration Privileges” for more information.
“By Task” lists privileges according to the individual tasks that require them. For example, to use the “Add an Outgoing PPP Connection” task, a user must be assigned the “Add Outgoing PPP” and “Test PPP Outgoing Existence” privileges.
Note: Be aware that some tasks have more than privilege associated with them. If you want to allow a user to perform a specific task, you must assign the user all the necessary privileges associated with that task. To view the privileges for each task, choose “By Task” from the View menu.
The View menu also includes the following options for viewing privileges:
“Hide Users With No Privileges” means that only user accounts that have been assigned privileges appear in the Privilege Manager window. This includes “All Users,” displays the default privileges.
“Hide Unused Privileges” displays default privileges and those privileges that have explicitly been assigned to a user or users. It does not display other privileges that haven't otherwise been assigned (either by default or explicitly).
“Hide Default Privileges” shows only the privileges that have explicitly been assigned to a specific user. It does not show any of the default privileges that are automatically assigned to other users when you enable privileges.
“Use Descriptive Privilege Labels” lists the tasks and privileges by their descriptive names.
The Help menu contains a list of help topics. To view a topic, choose it from this menu.
You can give individual users the ability to perform specific system administration tasks by using the “Grant Privileges to a User” guide. For example, you may want the user “joe” to be able to add a modem to the system and create an outgoing PPP connection. To allow “joe” to perform these tasks, you use the “Grant Privileges to a User” guide and grant privileges on a task basis, selecting “Add a Modem” and “Add an Outgoing PPP Connection” on the appropriate page in the guide.
You can open the “Grant Privileges to a User” guide using one of these methods:
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Privilege Manager.” In the Privilege Manager window, click the Grant button. The guide appears and leads you through the necessary steps.
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Grant Privileges to a User.” The guide appears and leads you through the necessary steps.
You can revoke privileges that you previously assigned to a user by using the “Revoke Privileges from a User” guide.
You can open the “Revoke Privileges from a User” guide using one of these methods:
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Privilege Manager.” In the Privilege Manager window, click the Revoke button. The guide appears and leads you through the necessary steps.
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Revoke Privileges from a User.” The guide appears and leads you through the necessary steps.
You can open the “Enable Use of Granted Privileges” guide using one of these methods:
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Privilege Manager.” In the Privilege Manager window, click the Enable button. The guide appears and leads you through the necessary steps.
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Enable Use of Granted Privileges.” The guide appears and leads you through the necessary steps.
You can open the “Disable Use of Granted Privileges” guide using one of these methods:
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Privilege Manager.” In the Privilege Manager window, click the Disable button. The guide appears and leads you through the necessary steps.
Choose System Manager from the System toolchest. Select the Security and Access Control category and click “Disable Use of Granted Privileges.” The guide appears and leads you through the necessary steps.