topic Re: Become root without asking password in Operating System - HP-UX

Become root without asking password

Claudio_4 — Tue, 06 Nov 2001 08:58:48 GMT

Hi all,

Is it possible to change user becoming "root" without asking the password ?
In a user script, I have to launch a command as root and the user can't know the password for root.

can somebody help me ?

thank's in advance.
Claudio.

Re: Become root without asking password

Michael Tully — Tue, 06 Nov 2001 09:08:22 GMT

I would set up 'sudo' to do this. There are many situations such as yours that this product will cater for. It is easy to compile, it is free and can be downloaded as a compiled version. Here are the links:

source
www.courtesan.com/sudo

Already compiled version from
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

HTH
-Michael

Re: Become root without asking password

Thierry Poels_1 — Tue, 06 Nov 2001 09:08:34 GMT

Hi,

"sudo" might be the perfect solution, it allows you to grant permission to specific users for specific commands.

If it's an executable, you can set the "Set user ID on file execution" (chmod u+s) and make root the owner of the file: this will execute the file as root.

good luck,
Thierry.

Re: Become root without asking password

Rainer von Bongartz — Tue, 06 Nov 2001 09:14:01 GMT

Become root without asking password cannot be what you really want 'cuase this is much to dangerous

Better use SETUID root on the file

chown root
chmod u+s

Now starting file will run with root permissions

Regards
Rainer

Re: Become root without asking password

Deepak Extross — Tue, 06 Nov 2001 09:14:32 GMT

Possible, but you could be opening up a huge security hole.

Consider doing this:
#chown root:sys #chmod +s
This should solve your problem.

Re: Become root without asking password

Deepak Extross — Tue, 06 Nov 2001 09:20:35 GMT

But if you really trust this user :-)
make the required entries in the /etc/hosts.equiv and .rhosts files, and let the user do a
$rlogin -l root

Re: Become root without asking password

Marcin Wicinski — Tue, 06 Nov 2001 09:22:25 GMT

Hi,
Solution you suggest is very dangerous from the point of view of system security. I would recommend to prepare the script as root and give it a s permission (script is executed as invoked by root):

chmod u+s >script_name>

Re: Become root without asking password

Volker Borowski — Tue, 06 Nov 2001 09:35:39 GMT

If you set up a suid script,
remember to revoke write permission,
so nobody can change what is in the script !

Volker

Re: Become root without asking password

Darrell Allen — Tue, 06 Nov 2001 13:45:31 GMT

I'm sure a number of people will disagree but you should not set up any user (including sys admins) to be able to become root without a password. Sudo is a good answer though suid programs / scripts can work, they're just much more complex to set up.

Darrell

Re: Become root without asking password

harry d brown jr — Tue, 06 Nov 2001 14:01:03 GMT

You can't be serious about using this method:

But if you really trust this user :-)
make the required entries in the /etc/hosts.equiv and .rhosts files, and let the user do a
$rlogin -l root

Any user that knows your "trusted" users passwd can BECOME ROOT on your host. That's a violation of all security procedures and guidlines.

If you give that user access form another machine, then anyone can SPOOF your host into thinking they are the trusted host and the trusted user.

You really need to follow Rainer's advice:

chmod 555 <scriptname> #make sure no one can write to it
chown root <scriptname>
chmod u+s <scriptname>

live free or die
harry

Re: Become root without asking password

Darrell Allen — Tue, 06 Nov 2001 14:44:50 GMT

A few more points:

Setting up the rlogin has the end result of making the user superuser. So the user doesn't know the root password. Big deal. He no longer needs it.

If you use a suid script at least chgrp it to a private group (no one in that group in /etc/group except the ones you want to be able to run the script), chown root (required), and chmod 4550 (no world access, no write for anyone).

Darrell

Re: Become root without asking password

David Rodman — Tue, 06 Nov 2001 19:23:41 GMT

One alternative tactic that I have used successfully is to provide a SAM user profile. SAM can give a user the setuid to root and you can restrict what the user can do or see. But this is an HP only solution. I have GUI buttons for things like startup and shutdown of databases and other routine tasks.

Re: Become root without asking password

Craig Rants — Tue, 06 Nov 2001 21:02:52 GMT

I agree with Darrell, .rhosts is the worst way to do this. You have now advertised to the world that you let someone into your systems as root without a password. Plus you only gave points to the worst answer. Nothing against Deepak, but others have given you a secure and feasible answer.

C

Re: Become root without asking password

Deepak Extross — Wed, 07 Nov 2001 02:14:37 GMT

No fair!!

I did give Claudio the chown/chmod solution.
And, as an afterthought, added the information he asked for, all the while pointing out the security hazard.

Re: Become root without asking password

Claudio_4 — Wed, 07 Nov 2001 07:49:46 GMT

Hi all !

I thank's all for your help.

I choose the ".rhosts / host.equiv" solution.
In my implementation, it is not so dangerous I think (I hope !!).

My implementation:
- The script is a menu of some O.S. command that user can perform on the system.
- I launch my script from .profile of user.
- I have disabled "^C" for user
- Inside of script, I use "rsh" to launch the O.S. command that need to be launched as root.
- The script is write protected; only root can modify it.
- The script perform a "logout" when user choose "end-work" from his menu.

Thank's again.
Sorry, I can't assign point to all !!!

Bye
Claudio.

Re: Become root without asking password

Thierry Poels_1 — Wed, 07 Nov 2001 08:12:44 GMT

can't assign point to all ?!?

cannot or will not ??

Re: Become root without asking password

John Ferrara — Wed, 07 Nov 2001 20:52:47 GMT

There is a product I use called Power Broker which allows users to "su" to root or any other privledged id and has the capability to remotely log all cmds entered. The user doesn't need the password. I don't like using it myself b/c the remote server that does the logging is connected via a slooow WAN which yields a long keyboard latency.
http://www.symark.com/powerbroker.htm

John

Re: Become root without asking password

Craig Rants — Wed, 07 Nov 2001 21:30:02 GMT

Ok, Deepak, you did put in the other solution. The only reason I singled out the other answer was because Claudio gave points to that one and I assumed that was the one he was going to use.

Claudio,
Can't assign points! What did you mouse break?

I would contend that people are more likely to answer your questions if you have a good history of assigning points. Up to you however.
C

Re: Become root without asking password

John Bolene — Wed, 07 Nov 2001 21:44:45 GMT

Curious, he has been a member for 2.5 years and this is the first question posted.

He is also 1 for 16 in assigned points.

Make that 17 now.

Re: Become root without asking password

Claudio_4 — Thu, 08 Nov 2001 07:45:44 GMT

Sorry !!!!!!!!!! .

I'm a member from 2 years, but I'm new in the use of this forum ! (this is my first time !)

I was wrong in thinking that points is to be assigned only to the solution I choose for my problem.
Now I know !! I can assign point to all the answer.

Thank's again.