topic Re: modprpw -k username in Operating System - HP-UX

modprpw -k username

Nick D'Angelo — Tue, 02 May 2006 12:14:31 GMT

HPUX 11i
I have setup sudo, but one user is having problems and receives the msg, Not Superuser when executing the command above.

I have checked /etc/group and /etc/passwd to ensure that he is in the same group.

Any ideas?

Re: modprpw -k username

Christian Tremblay — Tue, 02 May 2006 12:18:11 GMT

From the modprpw man page:

" modprpw updates the user's protected password database settings. This
command is available only to the superuser in a trusted system. "

Re: modprpw -k username

Jeff_Traigle — Tue, 02 May 2006 12:34:27 GMT

What does your sudo configuration look like? Sounds like you didn't get that configured properly.

Re: modprpw -k username

Nick D'Angelo — Tue, 02 May 2006 12:35:35 GMT

##
# User alias specification
##
User_Alias FULLTIMERS = nickd, mikef, dowdy
User_Alias PARTTIMERS = tsaunder, dstart, cdouza, cknapp, langlcx, jwhite
##
# Host alias specification
##
Host_Alias HPPA = istatux
##
# Cmnd alias specification
##
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn, /usr/lbin, /usr/lbin/modprpw
Cmnd_Alias PASSWD = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn, /usr/lbin
Cmnd_Alias CP = /usr/bin/cp
Cmnd_Alias MV = /usr/bin/mv

##
# users permissions
##
tsaunder ALL = VIPW, PRINTING, CP
nathan ALL = PRINTING, CP
smithmx ALL = VIPW, PRINTING, CP
dstark ALL = VIPW, PRINTING, CP
langlcx ALL = VIPW, PRINTING, CP, PASSWD
whitejg ALL = VIPW, PRINTING, CP

Re: modprpw -k username

Patrick Wallek — Tue, 02 May 2006 13:07:35 GMT

How is the user executing the command? Is he/she doing:

$ sudo /usr/lbin/modprpw -k

If they omit the 'sudo' then you can receive a message exactly like you see.

You should also verify the 'sudo' permissions and ownership. It should be have '--s--x--x' for permissions and the owner and group should both be root.

Re: modprpw -k username

Nick D'Angelo — Tue, 02 May 2006 14:35:27 GMT

When I try and change the user's password, this is what I get.

Cannot access protected password entry

The other members of IT Support are able to /usr/bin/modprpw -k username so I do not believe that it is a syntax problem.

I believe that the /tcb/auth files might be missing something to cmoplete his proper authentication for sudo.

Nickd

Re: modprpw -k username

Patrick Wallek — Tue, 02 May 2006 14:39:01 GMT

Hmmm...

What does:

# pwck -s

show?

Does this user have the appropriate file in /tcb/files/auth//

Where the is the first letter of the users username and is the username. For example for root the file is /tcb/files/auth/r/root.

If that file does not exist then the user will definitely have problems.

Re: modprpw -k username

Nick D'Angelo — Tue, 02 May 2006 14:44:29 GMT

The IT user with sudo problems does not have an entry in the protected password database

Re: modprpw -k username

Prashant Zanwar_4 — Tue, 02 May 2006 15:29:54 GMT

I didnt understand problem completly ..

but here is what if you want to reset user password or just reinvoke user

/usr/lbin/modprpw -l -k user
/usr/lbin/modprpw -l -v user

or change user password first and then issue above commands..

Next thing is

/etc/sudoers, whatever access user needs, should be mentioned below this.. like %group will follow what accesses he will have.. make a entry for user..

Prashant

Re: modprpw -k username

Patrick Wallek — Tue, 02 May 2006 18:45:54 GMT

Well, it needs one. I'm not sure how the user was created without its entry in /tcb/files/auth/...., but in order for it to work, it has to be there. The password, and a load of other information, is stored in that file. I would advise deleting and re-creating that particular user either with useradd or through SAM.

Re: modprpw -k username

doug hosking — Wed, 03 May 2006 15:02:27 GMT

Also be aware that modprpw checks the REAL uid, not the EFFECTIVE uid when doing the test for superuser.

Re: modprpw -k username

Bill Hassell — Wed, 03 May 2006 17:33:41 GMT

If the problem user does not have an entry in the protected database, then the user ID is bogus and sudo is correctly denying acces. This often happens when someone edits the passwd file to add or delete a user -- something that will corrupt the passwd/tcb database. Be sure you tell EVERYONE that has vipw capability to never add or delete users with vi or vipw. The Trusted system is different than a simple passwd file.

Delete the bad user and then re-add the user correctly with SAM or useradd.

Re: modprpw -k username

Nick D'Angelo — Thu, 04 May 2006 07:49:07 GMT

Bill, I am the only one who adds users and I never vi to add them.

I use useradd as part of a script.

I will delete the user using sam and add it using sam and get back to the forum.

Thanks

Re: modprpw -k username

Nick D'Angelo — Thu, 04 May 2006 07:57:24 GMT

I recreated the user using sam.

I logged on as the user and completed the steps below and no go.

$ cd /usr/lbin
$ ./modprpw -k tsaunder
Not Superuser.

I have attached my sudoers file.

There is an entry in the /tcb/files/auth/l directory for langlcx

Re: modprpw -k username

Patrick Wallek — Thu, 04 May 2006 08:03:38 GMT

In order to use 'sudo' you MUST preface the commands you run with sudo. So to run your modprpw you should do:

$ sudo /usr/lbin/modprpw -k

sudo can't do anything unless it is actually executed.

Re: modprpw -k username

Nick D'Angelo — Thu, 04 May 2006 08:07:32 GMT

I feel like such a loser.

Sometimes you can't see the trees for the forest.

If everyone would like full points, please post a reply due to my being a dolt.

Thanks