topic Re: Doing root tasks without root access in Operating System - HP-UX

Doing root tasks without root access

emealogistics — Sat, 26 May 2007 02:20:27 GMT

Hi everyone

I have been asked to do the following jobs without having root/sudo/SAM access or access to command passwd (except for changing my own password)

1) create users
2) change password of other users
3) enable /disable users
4) kill processes not belonging to me/group

Is there any way to do this?

regards

Re: Doing root tasks without root access

Robert-Jan Goossens — Sat, 26 May 2007 05:36:53 GMT

Hi,

The easiest way is to install and configure sudo, sudo will let you perform admin(root) tasks under your own userid. In you case you would need to configure the root commands useradd, userdel, passwd, usermod and kill.

docs
http://www.courtesan.com/sudo/intro.html

software
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p12/

Regards,
Robert-Jan

Regards,
Robert-Jan

Re: Doing root tasks without root access

emealogistics — Sat, 26 May 2007 06:17:54 GMT

Hi Rob

Thanks for replying. Unfortunately I will not be able to get sudo rights (makes no sense to me).

The reason why they won't allow me use of passwd is that they think that I can change the password for root. Is it possible to have rights to passwd and not change the root password?

Re: Doing root tasks without root access

DCE — Sat, 26 May 2007 08:29:42 GMT

you can look at restricted SAM

sam -r to configure.

it allows a user access to only those processes defined to their id

Re: Doing root tasks without root access

OldSchool — Sat, 26 May 2007 09:34:09 GMT

what "they" need to do to make this happen is right a wrapper script that runs passwd, and then allow you to sudo the wrapper.

the wrapper would examine the userid that you are attempting to change and then either allow it or not.

you can't perform the task specified in the environment you described...(ie no sudo, sam....)

Re: Doing root tasks without root access

Patrick Wallek — Sat, 26 May 2007 10:01:09 GMT

You CAN NOT do those tasks without some sort of root level access. It is IMPOSSIBLE!

You MUST be able to run the commands as root to: create users, change other users passwords, enable/disable users and kill others processes.

Now that being said, one option may be to write a script / program that runs as a setuid program (ie. permissions are something like root:security for owner group and rwsr-x--- for permissions) that will give you menu choices and ask you to enter the appropriate user you wish to modify. This program / script can do a check to see if you enter 'root' for a user name. If you do, it could throw an error.

Access to this could be controlled by creating a "security" group. Whoever needs to run this program / script gets added to the security group.

Re: Doing root tasks without root access

Bill Hassell — Sat, 26 May 2007 10:45:59 GMT

And to emphasize the security aspects of these tasks: you need skill in writing programs as well as how to protect them so access is secure. You can hire a consultant to write the program(s) for you. Be sure that the consultant has the necessary skills for both security as well as programming. And make sure the program logs every activity.

Or you use sudo. It is a severe security and stability risk to 'work around' security without sudo. I say stability because an improperly written tool may allow a user to accidentally remove every file in your computer with one command (as root). sudo is mandatory for distributed sysadmin privileges.

Re: Doing root tasks without root access

DavidJ — Mon, 28 May 2007 02:01:54 GMT

Hi,

I am using a package that allows one to do exactly what you are asking for. Not only does it do that but it can be customised for your needs and environment quite easily and is quite easy to maintain. It also logs everything that it does, who issued what command etc.

If you are interested in this email me at djason at mhg dot co dot za and I will put you in touch with this company.