Administration files

The scope of the administration commands and system files that the siqadmin user has access to is defined in several list files.

These files are stored in the siqsec directory. Usually, you don't need to touch these list files because, by default, they are set up to cover all commands and files that the siqadmin user needs access to. Only if this user requires further permissions to run additional commands, to edit additional system files, or to access additional files or directories, the root user must extend these list files:

List of commands: /siqsec/siqadmin.cmdlst

This file lists the file names of those executable programs on the AppStack that the siqadmin user is allowed to run.

For each listed file name, a command with the respective name must exist in either the /siq/bin directory or the directory given in the path specification. Empty lines in the file and lines starting with # are ignored.

For each listed file name, a command file referencing the respective command in either the /siq/bin directory or the directory given in the path specification is created in the /home/siqadmin/bin directory, initially during installation and triggered by a command any time after installation. The administration commands in this directory serve as resources that allow the siqadmin user to run specific commands or scripts that would otherwise require root authority.

Only the root user can edit the /siqsec/siqadmin.cmdlst file and must run the /siqsec/bin/vaultSetup.sh script after updating this file to reflect the changes in the /home/siqadmin/bin directory.

List of editable files: /siqsec/siqadmin.editlst

This file lists the file names of those system files on the AppStack that the siqadmin user is allowed to edit by using designated edit commands. See the list of Additional administration commands. These commands run the Linux sudoedit command to edit the respective system files. For detailed information about the sudoedit command, see the Linux man pages.

For each listed file name, a command file named in the format edit_directory_file is created in the /home/siqadmin/bin directory, initially during installation and triggered by a command any time after installation. Empty lines in the file and lines starting with # are ignored.

Only the root user can edit the /siqsec/siqadmin.editlst file and must run the /siqsec/bin/vaultSetup.sh script after updating this file to reflect the changes in the /home/siqadmin/bin directory.

List of services: /siqsec/siqadmin.syslst

This file lists the services on the AppStack that the siqadmin user is allowed to manage. The default set consists of the appstack and vault services. Any services not listed in the /siqsec/siqadmin.svclst file must be managed by using the root account.

Only the root user can edit the /siqsec/siqadmin.syslst file.

Group access list: /siqsec/siqadmin.grplst

This file lists the names of files or directories on the AppStack for which access permission and group ownership is set such that the siqadmin user and other members of the siqadmin group can access and modify these files.

For each listed file or directory, ownership and privileges are initially set during installation and by running a command at any time after installation.

If the siqadmin user or other members of the siqadmin group require read/write access to further files or directories, these files and directories can be added to the /siqsec/siqadmin.grplst file at any time. However, only the root administrator can edit the file. After the root user updates the list, ownership and permission settings must also be updated, which can be done in either of these ways:

The root user runs the /siqsec/bin/vaultSetup.sh script.
The siqadmin user runs the siq_files_access script.