topic Re: Duplicate root user in Operating System - HP-UX

Duplicate root user

Zulkarnain Bin Salim — Thu, 28 Jul 2005 00:43:48 GMT

Hi,

How can i duplicate a root user and also all the authentication, permission, kernel config.

Any advise. Since i never do this before.

TQ

Rgrds,
Zuls

Re: Duplicate root user

mirco_1 — Thu, 28 Jul 2005 00:51:27 GMT

hi,

create new entry (new user) in /etc/passwd with id 0.
example :

pippo:*:0:3::/:/sbin/sh

DM.

Re: Duplicate root user

Mahesh Kumar Malik — Thu, 28 Jul 2005 00:55:02 GMT

Hi Zuls

Create a new user with name other than root and set uid to 0. This user will have same previlages as of root

Regards
Mahesh

Re: Duplicate root user

Rainer von Bongartz — Thu, 28 Jul 2005 01:15:04 GMT

The user name 'root' does not matter.
What gives the user root his privileges is his UID 0.

So you can create a new user with any name and give him the UID 0 to grant all 'root' priviliges.

BUT: You should NOT do this. Best practices for Unix systems is always to have only 1 user with the UID 0.

If you need to grant all (or some) root priviliges to another user you should think about using the sudo tool.

Regards
Rainer

Re: Duplicate root user

Muthukumar_5 — Thu, 28 Jul 2005 06:40:33 GMT

Solution is given that uid has to be like root's one as 0. It is not recommeded to make like that. Global permission has to be given to a unique person called root in *NIX ;)

hth.

Re: Duplicate root user

Kent Ostby — Thu, 28 Jul 2005 06:50:09 GMT

Muthukumar brings up a point related to WHY do you want to do this.

You can have the multiple users with uid 0, but it raises some security concerns.

Another way is to allow certain people root access.

Yet another way is to allow certain people to run certain commands via "sudo" as root.

Or even set up sudo so that users can become root but their becoming root is logged to syslog.

See here for details:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=728865

Re: Duplicate root user

Zulkarnain Bin Salim — Thu, 28 Jul 2005 07:07:21 GMT

Hi Kent and all the guru,

I do glance through the article about the sudo, but honestly i blur how actually it works. And how can i implement it.

Since the user like to have second user as root for the disaster recovery plan.

Please help.

TQ.

Rgrds,
Zuls

Re: Duplicate root user

MarkSyder — Thu, 28 Jul 2005 07:24:57 GMT

I really think a second root user for disaster recovery is overkill.

What's wrong with:

1. booting into single user mode to reset the root password if it is lost; or

2. using an ignite backup.

Mark Syder (like the drink but spelt different)

Re: Duplicate root user

Zulkarnain Bin Salim — Thu, 28 Jul 2005 08:09:27 GMT

Hi Marks and all the gurus,

It corrects but this user will be use only on the emergency incidents purpose since this server quite difficult to restart.

I think i will be implement the UID=0 for the emergency issue. Like, login with the new user than run passwd root change it back and then, login back to as root.

It is better solutions.

Rgrds,
Zuls

Re: Duplicate root user

Patrick Wallek — Thu, 28 Jul 2005 08:16:59 GMT

I disagree 110%. Another UID 0 user is a BAD BAD BAD idea and a BIG BIG BIG Security risk.

Several problems I can think of:

1) What is you forget the password to the other UID 0 user? It does you no good then.

2) If this is a trusted system, what if you don't use the user and it gets locked out because of inactivity? Again it does you no good.

3) It's a BIG security hole. If someone gets into your system and discovers the password for the duplicate UID 0 user, then they now have FULL access to your system.

4) You say it will only be used in DR situations. Yeah right! If the ID is there it will get used.

I strongly advise AGAINST another UID 0 user.

You should go back and look at sudo. It is a much much better solution.

If sudo is set up correctly, you can do anything with it that you can with root. If the root ID is locked out, you can do something like 'sudo su -' to log in as root so the problem can be fixed.

Re: Duplicate root user

Geoff Wild — Thu, 28 Jul 2005 08:24:16 GMT

Yes you can do this - by creating another userid with uid=0

I have done this in the past - when I worked in a place with 2 other admins - who were less then capable - so to protect my back side - I created a rootg account - that way, anything done as root was audited as well as what I did - as rootg.

For DRP - sure - that would work - but remember - just because you make say an id called: rootdr

That will not prevent them from doing:

su -

without a password - so, in effect - they are root with out the root password....

If it's for dr only, why not lock up the root password in a vault - then when a dr strike - or a dr test - have that person follow your dr book and get the root password.

Either way is fine...

Rgds...Geoff

Re: Duplicate root user

MarkSyder — Thu, 28 Jul 2005 08:30:19 GMT

You say a second UID of 0 is the best solution because the server is difficult to start.

Can you explain to us why it's difficult to start?

Mark

Re: Duplicate root user

A. Clay Stephenson — Thu, 28 Jul 2005 08:44:03 GMT

Having more than one UID 0 login is not a Disaster Recovery Plan; it's simply a Disaster that hasn't happened yet.

Re: Duplicate root user

DCE — Thu, 28 Jul 2005 09:01:33 GMT

As others have pointed out this is a BIG security risk. If this system is ever audited, it will be classified a severe security violation.

Unix file ownership is not based on id, rather UID. By giving another user a duplicate UID, you are blurring who owns what, and eliminating the capability to trace who has done what.

sudo is an easy solution to your problem, and it actually quite easy to implement. And if you have problems with it, there are plenty of people in this forum who would be willing to answer your questions.

Finally, if this is for DR purposes, then it is not necessary. In a DR you will be recovering from tape to a new system. By definition you know the root password on the system you are installing to. If there is an issue with the password boot into single user mode and change the password.

Re: Duplicate root user

Zulkarnain Bin Salim — Thu, 28 Jul 2005 09:31:01 GMT

Hi Gurus,

Advance thanks for your replies. I really appreciate it.

I will follow your suggestion not to have second UID=0 since it will kill me and my repo outside the IT world.

Anyway, will you all give me some advise how can i start to implement the sudo exercise, i.e where to download, and setup guide.....

Please advice. & TQ

Rgrds, Zuls

Re: Duplicate root user

Simon Hargrave — Thu, 28 Jul 2005 09:31:56 GMT

I'll jump on this too.

If you're setting your "other" root user up just in case you can't get into your main root user then that's very very bad.

This would imply that you are rarely if ever going to use the "other" root user, which also implies that you will have to set it up with a password that never expires. This gives any potential hackers all the time in the world to compromise the password.

It's been said so many times, but once more won't harm and hopefully you will realise - DON'T DO IT!

It really isn't that difficult to setup sudo.

Re: Duplicate root user

Zulkarnain Bin Salim — Thu, 28 Jul 2005 09:35:06 GMT

Simon and all the gurus,

Please advice me, at least some guide
how to download and guide to installation and setup .... I'm new to this unix world

Advance thanks all gurus.

Rgrds, Zuls

Re: Duplicate root user

Patrick Wallek — Thu, 28 Jul 2005 10:04:29 GMT

SUDO Home page:

http://www.gratisoft.us/sudo/

HP-UX versions of sudo:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p7/

Re: Duplicate root user

Carles Viaplana — Thu, 28 Jul 2005 10:05:03 GMT

Hi Zuls,

An option could be create a normal user and grant rights to switch to root user.

Regards,

Carles

Re: Duplicate root user

Bill Hassell — Thu, 28 Jul 2005 14:33:07 GMT

And just so you know: the first place a hacker sets up shop is to change an ordinary user into UID=0. The user may not even know that this has happened. If you create multiple UID=0 users, it eill be difficult to detect hackers. Look at the output from:

logins -d