topic Re: root privilege commands in Operating System - HP-UX

root privilege commands

subhashni — Thu, 17 Jun 2004 11:47:00 GMT

Hi,
By any chance ,can unix users(non root) use or manipulate the following commands
1.shutdown
2.init
3.syslogd (kill and rerun)
4.stop.
If so how?
I appriciate your help.

Thanks

Re: root privilege commands

Sridhar Bhaskarla — Thu, 17 Jun 2004 11:52:20 GMT

Hi,

Except for shutdown, they will not be able to execute these commands except 'stop'. There isn't any command called stop. I believe you meant /sbin/init.d/<script> stop.

If you want them to execute these commands, then you would need to setup 'sudo'. You will need to configure these commands in the sudoers file, the configuration file that sudo uses to grant permissions. Look at the following URL to download.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

You have to be bit careful while configuring the sudoers file as you may inadvertantly open up security holes.

-Sri

Re: root privilege commands

Bill Hassell — Thu, 17 Jun 2004 12:16:29 GMT

You may get a suggestion to simply change the /etc/passwd file for as particular user so their UID=0. Don't do it! Huge mistakes will occur and it is a very serious security breach. Just download sudo and grant the specific commands to the user (don't use ALL).

Re: root privilege commands

Geoff Wild — Thu, 17 Jun 2004 12:24:20 GMT

Look at sudo or even restricted SAM.

sam -r

Rgds...Geoff

Re: root privilege commands

R. Sri Ram Kishore_1 — Thu, 17 Jun 2004 12:35:10 GMT

Hi,

Yes, as others have pointed out, Sudo is a great tool to achieve this. Sudo is part of the Internet Express suite of products, which can be downloaded from:
For HP-UX 11.23: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123
For HP-UX 11.11:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

HTH.
Regards,
Sri Ram

Re: root privilege commands

Steven E. Protter — Thu, 17 Jun 2004 12:47:05 GMT

sudo will achieve your goal.

I will say that its okay to allow other users to use shutdown under certain circumstances. its probably not a great idea to let a regular user run the init command.

init changes the system run level and executes a bunch of start and stop scripts.

If oracle starts at run level 4 and you let Joe Schmobagel bring the system to run level 3 that shuts downt he database.

You have to be extremely careful how you strucuture your system.

If you give a user init they can do an init 0 and shut the whole system down. How well are these people trained and if you are giving them this much power, why not the root password?

We sysadmins exist for a reason. One of those reasons is because we know the impact of the commands we're talking about here.

SEP