The old account configuration using the xhier packages setpw

This page is really just history...

How do restricted shells get put into a passwd file

Specifically how does a user's shell become equal to /software/setpw/servers/restricted.

The answer is provided by the setpw-config man page. The setup in the CS environment is described by setpw-config-old man page.

The users listed, one per line, in the file /software/setpw/data/config/non-restricted-users on a regional client for which the passwd file is built are the the users who will get a standard shell rather than /software/setpw/servers/restricted. Now, the reader should have noted the special emphasis on the word built. Specifically this means the setpw client hostname appears on a single line within a file on the setpw regional master (in the student xheir region this is cs-teaching.cs.private and in the core region, cs-general.cs.private) in the directory /software/setpw/data/config/hosts/ whose name has the form hosts.some-name.rebuild.restrict where some-name is usually chosen to be informative. (However, password files are no longer built and distributed in this fashion).

The management of the non-restricted-users file

The graphics lab in MC6055 and the Nortel Lab (room number escapes me?) are two labs in which access is restricted to specific users. Since both of these labs have uniform architectures it is not necessary to build the passwd on each of the host but only one of them and then use the rdist mode of passwd distribution, that is, copying the files over. As the build process can take valuable cpu power the build hosts are not machines in the lab.

On student.cs the non-restricted-users file are generated whenever accounts_client command is executed albeit the exact path to this end goal is quite twisty.

Dissection of sample accounts-client output

A sample run on cscf.cs:

accounts-client student.cs
make_remote_accounts: Start processing Wed Dec 13 11:06:39 EST 2006 ...
###################### Doing sponsored machines.   Wed Dec 13 11:06:39 EST 2006


================= Wed Dec 13 11:06:41 2006  (2 seconds)  student.cs
==== starting pid=15641 sponsor_aliases +f on student.cs ==== Wed Dec 13 11:06:42 EST 2006
==== doing alias_update ==== Wed Dec 13 11:06:42 EST 2006
==== finished sponsor_aliases on student.cs ==== Wed Dec 13 11:06:43 EST 2006

================= Wed Dec 13 11:06:43 2006  (2045 seconds)  student.cs
==== starting pid=15662 sponsor_accounts +f -Groupcheck admin=cscf on student.cs ==== Wed Dec 13 11:06:44 EST 2006
==== checking id registry status ==== Wed Dec 13 11:06:44 EST 2006
==== doing account_update -Groupcheck ==== Wed Dec 13 11:06:44 EST 2006
sponsor_accounts: Update unchanged from last time
sponsor_accounts: Doing update anyway (because of +Force)
sponsor_accounts: distributing the passwd file to setpw clients ==== Wed Dec 13 11:06:47 EST 2006
sponsor_accounts: creating missing home directories ==== Wed Dec 13 11:16:36 EST 2006
sponsor_accounts: updating disk quota ==== Wed Dec 13 11:24:07 EST 2006
/software/accounts/maintenance/mkquota not found.  Type '?' for a list of commands

sponsor_accounts: creating course directories ==== Wed Dec 13 11:27:36 EST 2006
sponsor_accounts: updating personal groups ==== Wed Dec 13 11:34:18 EST 2006
sponsor_accounts: running regional host-specific step ==== Wed Dec 13 11:34:18 EST 2006
========== setting restricted login users === Wed Dec 13 11:34:20 EST 2006
========== running update-mail-redirection === Wed Dec 13 11:34:33 EST 2006
update-mail-redirection FYI: updating the list of userids.
update-mail-redirection FYI: no changes, so not updating system mail aliases.
========== removing old truncated home-directories === Wed Dec 13 11:38:04 EST 2006
========== building truncated home-directories === Wed Dec 13 11:40:23 EST 2006
========== running mkfinal-windows-home === Wed Dec 13 11:40:44 EST 2006
========== creating //windows2000 directories === Wed Dec 13 11:40:45 EST 2006
========== mkfinal done === Wed Dec 13 11:40:48 EST 2006
==== finished sponsor_accounts on student.cs ==== Wed Dec 13 11:40:48 EST 2006
###################### Done.   Wed Dec 13 11:40:48 EST 2006

The accounts-client command is a C-program that calls /software/accounts-master/servers/make_remote_accounts which, in turn, runs the script student.cs:/.software/regional/accounts/config/regional/mkfinal on student.cs (and is RCSed on student.cs) and it runs =/.software/local/accounts/data/host/do_restrictions (also RCSed on student.cs) which is responsible for generating the non-restricted-users files for various classes and using rdist it copies it over to the client machines listed in build.restricted setpw configuration file.

It is possible to restrict logins for one or more classes to a set of restricted hosts, where by restricted we mean in the sense described in the setpw configuration files located in /software/setpw/data/config/hosts/. As an example consider the file /software/setpw/data/config/hosts/hosts.graphics.rebuild.restrict. The command mkfinal uses the configuration file =student.cs:/.software/local/accounts/data/host/config/restrictions (RCSed on student.cs). Specifically, we have (as of Tue Jun 12, 2007):

# Classes that are allowed to login to restricted machines
#    Any changes take effect with the next "accounts-client student.cs".
#    This configuration file is used on student.cs by the program:
#        /software/accounts/data/host/mkfinal
#    The first word on the line has to match the "*" in:
#        /software/setpw/data/config/hosts/hosts.*.rebuild.restrict

commando cs445 cs446 cs447 cs645 cs646 cs647 ece451 ece452 ece453 se463 se464 se465

mc3007   cs445 cs446 cs447 cs483 cs645 cs646 cs647 cs683 ece451 ece452 ece453 se463 se464 se465

graphics cs488 cs679 cs688 cs689 cs446 cs446a cs646 cs779 cs788 cs788f cs788h cs798

The class file student.cs:/.software/local/accounts/data/host/classfile is the file that is processed to determine which users go into what non-restricted-users files. The format of the class file is

wtautz:sponsor-cscf:CSCF601:

where the latter entries, separated by : list classes the user in in. In the case of CSCF staff some special provisions are made to allow for them to be in the graphics list even though most of us aren't enrolled in the course

-- WalterTautz - some time well before 12 Mar 2010