Root login

Vito Sarducci — Wed, 18 Jul 2001 13:28:40 GMT

I had a funny thing happen this morning. We have a sudo script that we can run as administrators that allows us to reactivate the passwords if a user gets locked out. We have third party support that needs the root access and they locked root out this morning.

I went into SAM and modified the root password just before another administrator ran the reactivate sudo script. It locked everyone out of root. Then i went back into SAM and modified the the root password to its original password and logged out and it worked. The other administrators could not get into root.

Here is the script. Is there a gliche between the SAM modify password and the script we run?

#-- Set up globals
SCRIPT=`basename $0`
USAGE="usage: $SCRIPT [usercode]"
BOLD_ON=`tput smso`
BOLD_OFF=`tput rmso`
TCBDIR="/tcb/files/auth"

#-- Set up the FPATH environment for shell functions
export FPATH="/usr/local/functions:"
autoload FUNCTION_LIBRARY

#-----------------------------------------------------------------------#
# O U T E R B L O C K #
#-----------------------------------------------------------------------#

#-- Only the superuser may activate accounts
if [ `id -u` != 0 ]; then
print "Sorry. You must have superuser privileges to activate an account."
exit -1
fi

#-- Get usercode
USER=""
case "$#" in
0)
print "\nEnter a login name to be enabled or to exit: \c"
read USER
if [ "$USER" = "" ]; then
print "No user enabled."
exit 0
fi;;
1)
USER=$1;;
*)
print "$USAGE"
exit -1;;
esac

#-- Verify account
PWENTRY=""
PWENTRY=`grep "^$USER" /etc/passwd`
if [ -n "$PWENTRY" ]; then
FCHAR=`echo $USER | sed "s#$^.$.*#\1#"`
if [ -r "$TCBDIR/$FCHAR/$USER" ] ; then
DONE=true
else
print "User ($USER) was not found in password database."
fi
else
print "User ($USER) was not found in the /etc/passwd file."
fi

#-- Allow operator a chance to bail out
print "\n\t$PWENTRY\n"
GET_YES_NO "Is this the entry you want to reactivate?"
if [ "$ANSWER" != Y ]; then
print "User ($USER) was not enabled."
exit 1
fi

#-- Enable the account just like SAM
/usr/lbin/modprpw -k "$USER" 1> /dev/null 2>&1

print "$BOLD_ON Account \"${USER}\" has been reactivated $BOLD_OFF"

exit 0

Can someone help me on this one? It looks as if this script doesnt work even if you go into SAM before you run this and modify the root password.

Chris
chrisam@rocketmail.com

Re: Root login

Robin Wakefield — Wed, 18 Jul 2001 14:07:28 GMT

Just a couple of thoughts, probably red herrings:

your grep "^$USER" should end with a ":" to cater for usernames of roota, rootb, etc.

Also, it might be worth redirecting the output of the modprpw to something other than /dev/null, and check its exit status.

If the two operations were executed simultaneously, then some sort of lock contention may be the cause.

Robin

Re: Root login

Wodisch — Wed, 18 Jul 2001 17:27:17 GMT

Hello Chris,

the "-k" option of "modprpw" can only activate users
other than "root" - there you have to use "-x" (or it
is the other way round - one is working for users, the
other for "root", at least).
And insert that ":" at the end of your pattern for that
"grep" command!
HTH,
Wodisch

topic Re: Root login in Operating System - HP-UX

Root login

Re: Root login

Re: Root login