topic Re: Sharing root in Operating System - HP-UX

Sharing root

John Collier — Thu, 06 Feb 2003 16:54:05 GMT

I have been reading some of the posts recently having to do with the root and other accounts on a system and I am beginning to get the impression that it is possible to create a separate account on a Unix box that would have the same permissions as root that could be used either in emergencies or in lieu of root for daily admin type tasks (saving root for the emergencies).

Either my search know-how for this forum is completely inadequate, or this particular question hasn???t been asked yet. Personally, I???m expecting the former, not the latter???

Is it truly possible and if so, how is it done?

Easy points for a seasoned admin???

Re: Sharing root

Ken Hubnik_2 — Thu, 06 Feb 2003 17:00:35 GMT

try doing a search on sudo

Re: Sharing root

James R. Ferguson — Thu, 06 Feb 2003 17:00:39 GMT

Hi:

Yes, you can do this. I would not. A superuser is merely an account with a uid=0. One way to do this is to create an account with any uid and 'vi' the '/etc/passwd' file to replace the 'uid' with zero.

What matters is the 'uid' of a file or a process. The name associated with it is simply mapped (derived) from a file such a user database such as '/etc/passwd'.

The problem with multiple "root" (uid=0) accounts is that someday, someone will forget that, for instance, a user named "jrf" is really a root alias; and delete all files owned by "jrf" -- rather, all files owned by uid=0 ...

Regards!

...JRF...

Re: Sharing root

James Odak — Thu, 06 Feb 2003 17:01:14 GMT

any user created with the UID of 0 has root privliges, about all you gain from this is a little better tracking of login, commnd history and acountability

its handy to give to HP to check you system if they can dial and simply enable/disable the account for when ever needed

Re: Sharing root

Ian Dennison_1 — Thu, 06 Feb 2003 17:01:23 GMT

Create another user with a UID of Zero (You may have to create them with a unique UID first then alter it to Zero in /etc/passwd).

Alternatively, use 'sudo' from the HP Porting Centre.

http://hpux.cs.utah.edu./hppd/hpux/Sysadmin/sudo-1.6.6/

Share and Enjoy! Ian

Re: Sharing root

Chris Vail — Thu, 06 Feb 2003 17:07:11 GMT

Any user ID (UID) of 0 is going to be the equivalent of root. This is rarely a good idea though.
If you want to do routine systems administration without using the root account, then you'll need to install sudo, and restricted SAM. There is a lot of information here in the ITRC forums about sudo and restricted SAM, and you can get a lot of stuff out of Google.
For example, we cannot let our Oracle DBA's access the root account, yet they occasionally have need of root level operations. Those particular operations we have enabled using sudo. That lets them do their thing without bothering the Sysadmins.
Best of all is to "harden" your Unix system. This is too detailed a task to write here, so I'm attaching our hardening document. This is an abbreviation of the information in _Practical Unix & Internet Security_, by Garfinkel & Spafford, by O'Reilly. This is widely available on the web, local bookstores, and on the O'Reilly website at www.oreilly.com, and highly reccommended.

Chris

Re: Sharing root

Robert-Jan Goossens — Thu, 06 Feb 2003 17:07:41 GMT

Hi,

sudo is the way to go.

It is possible to create a pseudo root account uid 0 but don't do this.

Robert-Jan.

Re: Sharing root

Sridhar Bhaskarla — Thu, 06 Feb 2003 17:33:37 GMT

Just DO NOT create another account with 0. There are few other ways to get your issues fixed.

1. SUDO - the first choice. Define only few items in SUDO like modprpw -k for only SA group. Redirect your syslog to another system where only your manager has root access to have access for auditing.

2. You can always get the root password changed in the single user mode. So, restrict your console access and to the datacenter.

3. Go to point 1.

-Sri

Re: Sharing root

Pete Randall — Thu, 06 Feb 2003 18:13:08 GMT

This is like asking "do you like blue". You're going to get responses leaning towards "never set up another uid 0 account", you'll get responses saying "use sudo", you'll get responses that say "sure, set up as many root users as you want".

My own opinion is to have one and only one root account. If you need to share root responsibilities, look into restricted SAM or sudo. If you need to have some sort of emergency access (like forgetting the root password), you need to look into more training for your sys admins and possibly new sys admins.

Like I said - just my opinion.

Pete

Re: Sharing root

John Collier — Thu, 06 Feb 2003 21:15:12 GMT

It never ceases to amaze me at how easy it is to get things stirred up sometimes. I know I???m still relatively new to the concept of in depth system administration and there is still much I need to learn, but it seems like the learning process can be rather hard on the head when you can???t manage to get official training along those lines.

Sorry to stir things up so much over what I thought would be a simple question.

On a different note, I do appreciate all of the information that all of you have provided on this. There is truly much more to consider than I realized when I put this question out. Actually, this is one of the reasons that I wanted to put it here on this forum before trying something on the systems here. One thing that I have learned is that there is much more knowledge available here than I could ever hope to possess on my own. Due to the fact that each of you have had different experiences in your career which have taught you different things than some of your colleagues (and much more than I at this stage of my life), this forum is one of the most valuable resources I have found in my search for knowledge. The fact that you are all so willing to share it is sometimes mind boggling on it???s own.

I will take this information to heart and think hard about the options given and the ramifications of each one before I make any moves. While Sudo seems to be the most popular option here, I don???t know if the others involved in this will be willing to go that direction. It hasn???t been discussed yet. This whole thing was my brainchild and I was simply looking for a possible way to create a ???backdoor??? JIC. Trying to be somewhat proactive and save potential heartache down the road ;-)???

Chris,

Your suggestion on hardening the system is most likely the smartest thing that we could do, but it looks just a bit too restrictive for the way we have to do things. I appreciate the information none the less and will file it for future reference. Hopefully it will be useful to someone else as well.

Pete,

I think you wrapped this whole thing up in a nutshell. I can see now that this is greatly a matter of opinion more than a matter of mechanics. The mechanics are easy; the rest is far from it.

Thanks again for all the input from everybody. It appears I have much thinking to do???

Re: Sharing root

James R. Ferguson — Thu, 06 Feb 2003 21:24:02 GMT

Hi John:

I don't think you "stirred things up" so much as you asked a good question. Don't be offended by the tone of the responses either.
Very little is black-and-white; rather infinitely gray.

Regards!

...JRF...

Re: Sharing root

Sridhar Bhaskarla — Thu, 06 Feb 2003 21:54:56 GMT

Hi John,

Correlating your message and JRF's response, I looked at all the messages and the most offending (?) message is probably mine.

I do not necessarily agree that it is a matter of opinion. An opinion is certainly come into picture when you ask "do you like blue"?. However, when you ask "do you like to drink pepsi or poison?" then my answer would not be an opinion.

If a person is attempting to drink poison, then the suggestions may look offending. But they are for good.. Creating another account with uid 0 is the same for me in terms of security.

-Sri

Re: Sharing root

Michael Tully — Thu, 06 Feb 2003 22:00:13 GMT

Another opinion.... Lets just say you have an audit team walk in the door... Some of them are serious ...

The first things they will review are entries from your password file, how you manage root password and an overall view of security of your systems. If you are serious about security, then installing 'sudo' in one of the most effective methods. If your not, then you can open up whatever little nasties you like.

My aussie 3 cents
Michael

Re: Sharing root

John Collier — Thu, 06 Feb 2003 23:25:24 GMT

Now I see that I have worded my last reply the wrong way. Please allow me to clarify.

I was in no manner, shape, or form offended or insulted by any of the answers that I received nor did I find any of them to be off key in any way. On the contrary, I found them all to be rather enlightening.

One of the things that I have come to appreciate about this forum is that you will get a wide variety of responses to a question due to the fact that you have such a wide variety of people, personalities, and experiences in this knowledge pool. That is one of the things that makes this such a valuable source of information.

At the same time, due to the variety of people and personalities, you also get a wide variety of answers each with their own personal tone to them. If a person dwells on the words only, then they will miss the true meaning behind what is truly being conveyed. You have to be able to look beyond the obvious and see the real reasons for the responses.

At the risk of sounding like I???m writing a book, let me explain further;

When I first entered this forum, I found it to be intimidating on many levels. Most of the people that you see responding to the questions posted here have a much larger personal knowledge base than I do and I felt (and still do to a point) inadequate. I didn???t think that I belonged here and that I would be blown out of the water with the first stupid question I asked. I hadn???t learned to read beyond the words yet.

Then I found some of the less official threads in this arena and started reading on them as well. This allowed me to get to know the people behind the words to an extent, but I still didn???t want to post because then it seemed so much like a family and I didn???t feel like I fit in there either. Nobody knew me. How could I fit?

Many months later, I finally came back to the forum and decided that I would try to post some and see how it went. I had seen enough that I felt I could risk it, so I started with something simple like the congratulation posts. Even then, I went in cautiously and apologetically. What I got from the community was a warm welcome and encouragement to not be shy, but just jump right in. Perhaps if they would have known the monster they were about to unleash, they wouldn???t have done that (but it???s too late now!!).

Please rest assured that if I ever get offended, you will know about it and I???m not likely to be very subtle when it happens. But don???t worry about that too much either. I have thicker skin than most and I have learned something about how to read the information from some of the different people here.

Most of the people seem to be good folks. They also seem to be rather passionate about their work and when they give an answer, they tend to feel strongly about it. To the newbie, that can come across wrong if they haven???t taken the time to pay attention. Check my profile and see how long I have been watching vs. how long I have been responding/posting. I paid my dues in that area.

Best way for me to put this is simply ???Hit me with everything you???ve got??? or ???Don???t pull punches???. If I???m to the point of asking in this forum, I???m ready for pretty much anything I get. If someone steps on a toe or bruises a feeling, I???ll let you know. Otherwise, don???t be concerned for a minute.

James,

Thanks to you for the kind words. It???s nice to see an Olympian give me credit for a good question. I consider that a compliment.

Sri,

You have always struck me as one of the more passionate in your answers. For that reason, I see why you would have the response you gave. No opinion, just facts. When my personal knowledge base is as large as yours, I expect I will be the same way.

Michael,

That is one of the things that I have to think about. Remember the closing to my last post?

Thanks again to you all,
JWC

Re: Sharing root

Kim Doty — Thu, 06 Feb 2003 23:38:16 GMT

Just to add my 2 cents. Restricting root to console logins only DOES not prevent people with the password from using su to become root to accomplish their jobs. It DOES make sure they have to use su so that you will have a log of who became root at the time something dreadful happened. I have been VERY happy to have done this and it's very, very simple.
I'm also glad I installed sudo. It's rather a pain to get configured, but once you figure it out, it can be very handy. For instance, I was changing user passwords 2-3 times EVERY day. Now a select group of IT people can sudo passwd and save me the hassle, which does add up.
Kim

Re: Sharing root

Khalid A. Al-Tayaran — Fri, 07 Feb 2003 10:48:53 GMT

Hi,

create a user say admin and use this account daily and when you need to do root tasks just su to root. So in this way you don't have to log in as root every day and it's safer this way. Also look at sudo.

Re: Sharing root

Gavin Clarke — Fri, 07 Feb 2003 12:36:54 GMT

One of the things that worries me as an admin is people scanning the network traffic for the root password. I was just thinking if I use su I wouldn't have to worry about this any more.

I like your hardening document, I will be giving that some attention SOON.

I was told on a course that security and convenience are inversely related.

I guess if you have hundreds of users all keeping files that are highly sensitive you would probably spend alot of time worrying about file permissions.

There's a utility called cops that does some security checking, it's a help, don't rely on it though.

Re: Sharing root

Systeemingenieurs Infoc — Fri, 07 Feb 2003 14:47:18 GMT

My turn now ;-)

1. multiple uid=0's : i do not share the idea that it is worse than 1 uid=0 account. If you give it good names, you wont remove them by mistake. When you enable accounting, you even see which user executed commands with a uid=0 user (every user has a different audit id on a system - it's in the tcb-files).
What my experience is, is that it is not easy to maintain a lot of users in a site with hundreds of unix-boxes. So, for that reason, you'll try to limit the number of accounts.
What's the result ? Let all your sysadmin's work under 1 root user ? Dangerous (if you do esc -).
We concluded it was best to let all the sysadmins work under 1 user, but they do not have permanent access. The can change the password of the root user by demand. Also, only 1 user can lock the root account at one time.

2. restricted sam : difficult to work in a distributed environment.

3. SCM : the way to go for the future (imho) : every sysadmin works under his own account on a central mgt-server, but has control over several delegated root-tasks accross his domain.

who's next ?

Re: Sharing root

W.C. Epperson — Fri, 07 Feb 2003 18:54:04 GMT

I'm always tickled when I see folks insisting that their opinions aren't....

There was a related thread a few weeks ago:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x2eae4a988422d711abdc0090277a778c,00.html

I said then:
All of our actual "root" passwords are escrowed with me (Chief Systems Engineer) by the server's primary SA, in sealed envelopes and vaulted. Each Unix sysadmin has an individual uid 0 account on each box (s)he's responsible for, so when someone leaves, we just disable the account unless their signature is on a root envelope, in which case we also change root for that box. Our security standards call for password changes every sixty days, and do contain some guidance on construction of passwords. Each sysadmin is responsible for managing passwords on the personal uid 0 accounts, and the primary also manages the real root account.

Re: Sharing root

Chris Wong — Fri, 07 Feb 2003 19:13:13 GMT

Use either or a combination of:
Restricted SAM
sudo
SCM
3rd Party Products

When talking about using "su", make sure you set the SU_ROOT_GROUP in the /etc/default/security file so only members of a specific group can "su" to root.

I personally don't like having multiple UID 0's. But, I also won't set trusted system settings on the root account (such as aging, locking, etc..).

And finally... if using root or using su to get to root, don't use telnet at any point in your connection unless you are on a private LAN and have high confidence in the security of the HP-UX system you are connecting to.

- Chris