topic Re: Root user in Operating System - HP-UX

Root user

Kevin_107 — Thu, 20 Feb 2003 13:01:18 GMT

Is there a way of creating a second root user ie. root2 with all the same privileges so it can stop/restart system/application processes when needed ??

Re: Root user

Yogeeraj_1 — Thu, 20 Feb 2003 13:08:22 GMT

hi,

modify your UID to be 0

you can either do it when creating the user in SAM

or modify your password file

root:ItDrkovo.KRhs:0:3::/:/sbin/sh
^^

hope this helps!

Regards
Yogeeraj

Re: Root user

Chris Wilshaw — Thu, 20 Feb 2003 13:09:06 GMT

useradd -u 0 -o -g sys -m -c "Second Root User" -s /sbin/sh root2

This will create the user with a directory of /home/root2

Re: Root user

Gavin Clarke — Thu, 20 Feb 2003 13:11:43 GMT

Er, yes set UID = 0, you probably don't want to do this though, if you search the forums I'm sure you'll find stuff telling you why it's not a good idea.

For example what happens if you go to delete this other user and delete all the files it owns. All files owned by root will be deleted.
I picked that up from a post on the forum somewhere and it made me think.

Can you not just get what you want from su? Or sudo (again search for this)?
Would I be right in saying you have two admins and they both want to have different passwords?

Re: Root user

James R. Ferguson — Thu, 20 Feb 2003 13:12:06 GMT

Hi Kevin:

There are a number of ways to handle situations like this.

> Using "restricted SAM" is one method. See the man pages for 'sam' for more information.

> Using 'sudo' is another (common) choice.

http://hpux.cs.utah.edu/hppd/hpux

> Creating setuid scripts or c-wrappers is sometimes done, but this can be a large security risk.

Regards!

...JRF...

Re: Root user

James R. Ferguson — Thu, 20 Feb 2003 13:15:25 GMT

Hi (again) Kevin:

While any account with a uid=0 is a superuser account, *beware* the day you (or your successor) forget that the account named 'kevin' is such an account, and you (or your successor) runs something like:

# find / -type f -user kevin -exec rm {} \;

...the result is that files with uid=0 are removed. Guess which files!!!

Regards!

...JRF...

Re: Root user

Yogeeraj_1 — Thu, 20 Feb 2003 13:26:04 GMT

hi again,

Yes, Mr. James R. Ferguson is right!

SUDO will be a much better alternative to consider.

Best Regards
Yogeeraj

Re: Root user

Colin Topliss — Thu, 20 Feb 2003 13:40:00 GMT

Watch out if you use sudo though. There are a number of security issues that can arise around this if you don't be careful when you configure it(the favourite is gaining a root shell when you really never intended that to happen).

Re: Root user

W.C. Epperson — Fri, 21 Feb 2003 15:07:14 GMT

Just $.02.

You have good suggestions on how to do this, just some comments on use.

We've used multiple root ids on hp-ux v7-11, SCO Unix, Solaris, AIX, and various Linuxes. Works very nicely on all, and avoids changing every root password on every server every time a sysadmin leaves (the "real" root passwords are escrowed with me by the primary sysadmin for the platform). But we always use a name consisting of initials+root, e.g wceroot, to avoid confusion with one's vanilla ids.