-- Stanford Linear Accelerator Center

SLAC Root Access Request

 UNIX at SLAC
Security at SLAC
Updated: 25 April 2001
--

When files are shared via NFS, the various systems involved must be administered in a coordinated fashion to preserve the integrity of the files and the security of the hosts. To ensure such coordination, we restrict access to SLAC's central file servers to hosts meeting certain requirements. The database of such hosts is called the SLAC Netgroup.

For UNIX platforms supported by SCS (currently AIX, Solaris, and Linux), the easiest way to satisfy these requirements is to turn over the system administration responsibility to us. We will run several cronjobs on your system (including "taylor" and "emergency"). These scripts maintain consistent configurations (including passwd files) across all SCS-administered systems at SLAC, and can be used to install some software updates, such as security patches. We will also login as root to diagnose and correct problems when necessary.

If you need root access on your machine (e.g., in order to install special software), you may still be able to run taylor and our other cronjobs and share the system administration responsibility with us. Use the Additional Information field below to outline your specific needs and describing your level of UNIX experience.

The permission granted to be part of the SLAC Netgroup is for the machines and operating system levels that have been scanned and/or validated. If you remove the system from the network, you should contact unix-admin to request that the machine be removed from the SLAC Netgroup. If you replace the system (for example replacing a SunOS system with a Linux system), or substantially upgrade the OS (for example SunOS to Solaris), you are responsible for reapplying for membership in the SLAC Netgroup.

Machines in the SLAC Netgroup will be re-scanned for security problems regularly to insure that they continue to meet the current security requirements (which may change from time to time).

To request access to SLAC's central NFS file servers, please enter the following information for this system and its administrator.

Administrator's full name:
Phone extension
EMail address
Hostname to be granted access
Operating System and Version
Additional Information
Check this box and press if you agree to have SCS administer your system. You need not fill out the rest of this form if you so agree. (This option is available for Solaris, AIX, and Linux.)

If you choose not to have SCS administer your system, you are expected to enforce the security requirements of sharing files via NFS, as described below.

The numeric uid and gid associated with a UNIX file determine its owner and group; thus when files are shared via NFS, it is essential that uids and gids be assigned consistently across the different systems involved. Furthermore, the risk to the rest of the site is significant if a break-in should occur on a host with NFS access. Accordingly, SCS requires that the system administrators of all hosts that mount filesystems from SLAC's central NFS servers file meet the following requirements. Please check each item to signify agreement. Please read the Details section that follows if you are not sure what each point entails.

Yes No I agree to grant SCS root access to the machine for responding to emergencies; and permit SCS to perform routine monitoring on the machine. I have already installed the root-scs account as detailed below.
Yes No I agree to abide by the rules below for local account management by (choose one):
  Running NIS for account management and creating no local accounts.
  Running NIS for account management and also creating one or more local accounts, following the rules below (please describe the local accounts needed in Additional Information field, above).
  I do not plan to run NIS (please explain how you plan to manage your local accounts in Additional Information field, above).
Yes No I agree to maintain a reasonable level of security on the system, as determined by SCS (e.g., applying appropriate security patches)
Yes No I agree to periodic security scans by the SCS Security Team, and to comply promptly with requests to remove vulnerabilities. I hereby request an initial scan of the machine to determine compliance before NFS access is granted.


Press this button to agree to these conditions and to send this request to SCS.

Details

If running taylor is not feasible (either because it does not support your platform or because you need greater autonomy to configure your system), then it is up to you, as the system administrator, to enforce the above four requirements. We rely on you to make a conscientious, good-faith effort to abide by the spirit of the above requirements as well as complying with the detailed, but inevitably incomplete, rules outlined below. If you fail to do so, we reserve the right to remove NFS access for your machine without notice (note that this will require that we reboot or shutdown your machine).

Guard the root Password

You must exercise reasonable caution with the root password, e.g., you must not choose a weak password nor give it to users who have not agreed to these requirements and you must change it at least every six months.

Coordinate Account Management

We strongly recommend that you run NIS and use our central passwd and group files to define all or most of the accounts needed on your machine. Note that it is possible to use only certain entries from the NIS passwd file and to override some, though not all, fields from the NIS entry for a particular account. However, if you do use our passwd file, you will need to ensure that your users can access either their central home directories, or local home directories using the path specified in that file. You may also need to install one of the popular alternative shells, such as tcsh or bash, that might be needed by some of your users.

If you need to create any local accounts or groups (other than the special root-scs account described in point 2., below) you must obtain agreement from all of those who will be acting as system administrators for the machine to all of the following requirements:

  1. You must consult with SCS before changing any of the special-purpose low-numbered accounts or groups that are provided by the OS vendor.
  2. There must be a SLAC contact (i.e., someone who has signed SLAC's "Computer Account Responsibilities" form and is in the SLAC personnel database) for every local account. If no one else can be identified, you, as the system administrator, will be that contact and might be held responsible for the actions of any non-SLAC user to whom you have given an account. (Thus, you may want to ask your users to obtain a central UNIX account, in which case there may be no need to create a local account for them.)
  3. You must take care not to compromise the uid- and gid-based security of our NFS file servers. This means that each such account or group must either:
    1. be totally disjoint from any account or group that appears in our NIS passwd and group files, i.e., no duplication of username, uid, groupname or gid between the entry in your local passwd or group files and any accounts in our NIS databases (to insure that uids and gids will never conflict, you must use numbers from 20000 on); or,
    2. duplicate the username and uid, and specify compatible group information, for an entry in our NIS databases (provided, of course, that this account is created for the same person who owns the corresponding NIS account). "Compatible group information" means that the local account must not belong to any NIS groups that the NIS account does not belong to, and that the primary group for the local account must either be a local group or else the same as the primary group of the NIS account. You may also add memberships to additional local secondary groups.
  4. You may install special-purpose user accounts or groups required by third-party software; however, you must exercise reasonable caution and good judgment to avoid compromising NFS security. If you have any doubts about a piece of software or its installation procedures, please contact SCS for advice.

Maintain Security

You must maintain the system with a reasonable degree of security, as determined by SCS. This requirement includes but is not limited to, such things as regularly installing security patches, removing or disabling local accounts when users leave SLAC, reporting suspicious activities to SCS, etc.

You must also contact the SLAC Security Officer (security@slac.stanford.edu) to arrange an initial scan before your system is granted NFS access. If your machine is capable of booting more than one operating system (e.g., both Linux and Windows NT), you must so inform the Security Officer, and arrange to have it scanned when running each such OS. Thereafter, the Security Officer may rescan your machine from time to time. If you are concerned that such scans might disrupt mission-critical functions, you may contact the Security Officer to arrange mutually agreeable times to carry them out.

Grant SCS Root Access

You must add a local account (or, possibly in the future, several local accounts) as described in the file, 

  /afs/slac/service/admin/non-scs/passwd/passwd

This file will contain one or more standard passwd file entries including encrypted passwords. You must install them according to the normal procedures on your system (including whatever steps are necessary to move the passwords to a more secure "shadow" passwd file, if available). One of these accounts will be named "root-scs" and will have both uid and gid of zero, making it, for most purposes, equivalent to the real "root" account on your system.

You must also agree to update these accounts (e.g., with new encrypted passwords) when notified by SCS.

Page owner: Chuck Boeheim