topic System Default Accounts in Operating System - HP-UX

System Default Accounts

john guardian — Fri, 07 Sep 2007 07:46:00 GMT

This question concrens Run Control Scripts... IE: /sbin/rc* and /sbin/init.d scripts.

Is it acceptable/secure for the user ADM to be listed as the file's GROUP owner?

Is the user ADM considered a DEFAULT SYSTEM ACCOUNT similar to ROOT,SYS,BIN and OTHER?

I don't believe I've ever seen a DEFAULT OS INSTALL where any of the "rc" scripts were owned (GROUP OWNED) by ADM.

Anyone?

Re: System Default Accounts

Steven E. Protter — Fri, 07 Sep 2007 07:51:33 GMT

Shalom,

No, it is unacceptable to make the adm user user zero.

It is fine to have a startup script that does an su - username -c command. That is a very normal practice.

You should probably talk to the vendor and ask them why they did this.

I'm guessing its just a sloppy Q&A situation. I know of no third party products other than Cyborg that require this level of privileges to start. You can bet I gave Cognos a lot of trouble over this.

SEP

Re: System Default Accounts

Pete Randall — Fri, 07 Sep 2007 07:52:39 GMT

Nope. Me either.

# ll /sbin/rc?.d |grep adm
lrwxr-xr-x 1 root 42 21 Mar 15 2004 K140webadmin -> /sbin/
init.d/webadmin
lrwxr-xr-x 1 root root 22 Mar 15 2004 S206clean_adm -> /sbin
/init.d/clean_adm
lrwxr-xr-x 1 root 42 21 Mar 15 2004 S860webadmin -> /sbin/
init.d/webadmin
lrwxr-xr-x 1 bin bin 29 Mar 15 2004 S996vradmind -> /sbin/
init.d/vras-vradmind.sh

Pete

Re: System Default Accounts

john guardian — Fri, 07 Sep 2007 07:57:13 GMT

Actually, ADM hasn't been made user/uid zero. One or two of the script listings look something like :

-r-xr-x-rx root adm <script_name>

So, ADM is simply listed as the GROUP OWNER of this script.

I've never seen this and didn't think it was acceptable.

So, once again, I still wonder whether ADM is considered a default system account?

Re: System Default Accounts

James R. Ferguson — Fri, 07 Sep 2007 08:01:12 GMT

Hi John:

> Is it acceptable/secure for the user ADM to be listed as the file's GROUP owner?

This should be acceptable. After all, it's the root user under which the startup/shutdown scripts actually execute.

> Is the user ADM considered a DEFAULT SYSTEM ACCOUNT similar to ROOT,SYS,BIN and OTHER?

Yes, 'adm' is one of the standard, default groups. You will find this group associated with '/var/adm', for example.

Generally the '/sbin/init.d' scripts are owned by 'bin' with 'bin' as their group, too.

Regards!

...JRF...

Re: System Default Accounts

Patrick Wallek — Fri, 07 Sep 2007 08:04:47 GMT

ADM is one of the default **GROUPS** in /etc/groups as part of the OS install.

The GROUP permission you are seeing has NOTHING to do with any of the users in /etc/passwd. ADM is a valid default user as well, though the user and the group ADM are separate things.

I don't know that having ADM as the group on some of the rc scripts is necessarily normal, but I don't think it is a disaster waiting to happen either. All of the scripts run as root when the system is booting anyway so the owner and group don't necessarily matter much.

If it makes you nervous, change it to match the other scripts.