Difference between revisions of "creating a new user on Gaia via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(switch to clish shell)
Line 11: Line 11:
  
 
== add user ==
 
== add user ==
  > add user jsmith uid 1005 homedir /home/jsmith
+
  > add user jsmith uid 0 homedir /home/jsmith
 +
 
 +
== set optional parameters ==
 +
> set user jsmith realname 'john smith' shell /bin/bash gid 100
  
 
== set password ==
 
== set password ==
Line 22: Line 25:
 
  > add rba user jsmith access-mechanisms Web-UI,CLI
 
  > add rba user jsmith access-mechanisms Web-UI,CLI
  
== set uid to root ==
 
# set user jsmith uid 0
 
  
 
I don't like setting the user to the root UID.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat".  
 
I don't like setting the user to the root UID.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat".  
Line 34: Line 35:
 
  -rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
 
  -rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
  
I will investigate adding the users to the bin group.  Also, I will add them to the users group.  The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line.  All check point allows there is the root group.  Go figure.  Sounds insecure to me.
+
The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line.  All check point allows there is the root group.  Go figure.  Sounds insecure to me.
 +
  
 +
When adding via the WebUI
 +
# cat /etc/passwd|grep jsmith
 +
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash
  
 
  
 
[[category:gaia]]
 
[[category:gaia]]

Revision as of 23:14, 17 February 2014

where jsmith should be replace with your username


Contents

switch to clish shell

if you aren't here already or are at the expert prompt, just type...

[Expert@myfirewall]# clish
myfirewall>

Clish will give you the > prompt

add user

> add user jsmith uid 0 homedir /home/jsmith

set optional parameters

> set user jsmith realname 'john smith' shell /bin/bash gid 100

set password

> set user jsmith password

set roles

> add rba user jsmith roles adminRole

set access

> add rba user jsmith access-mechanisms Web-UI,CLI


I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat".

error:

/opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
# ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
-rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh

The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me.


When adding via the WebUI

  1. cat /etc/passwd|grep jsmith
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash