topic Re: User Access Restriction in Operating System - HP-UX

User Access Restriction

David Goza — Fri, 01 Sep 2000 14:48:37 GMT

Using HP-UX 10.20, what is the best way to allow help desk workers to have access to only change passwords. I do not want them to have any other access (Unix prompt, SAM, etc....). My boss wants them to only be able to reset/change passwords. We use Exceed, Go-Global and wIntegrate.

Re: User Access Restriction

Rick Garland — Fri, 01 Sep 2000 14:54:05 GMT

sudo is a good package for this. Will keep logs of who did what and when.

Can be obtained from the porting archieve or from http://www.courtesan.com

Re: User Access Restriction

Tom Danzig — Fri, 01 Sep 2000 14:56:38 GMT

You should be able to set up restricted SAM access for these users so they can do a specific task only and nothing else. See the man pages on sam or the online help.

Re: User Access Restriction

Victor BERRIDGE — Fri, 01 Sep 2000 14:57:49 GMT

You could let them use RESTRICTED SAM
which you have configured only to let them change user passwd

Re: User Access Restriction

James R. Ferguson — Fri, 01 Sep 2000 14:59:28 GMT

Hi:

Look at "restricted" SAM.

...JRF...

Re: User Access Restriction

Victor BERRIDGE — Fri, 01 Sep 2000 14:59:34 GMT

the only other safe alternative would be as Rick mentionned: use sudo

Re: User Access Restriction

Rita C Workman — Fri, 01 Sep 2000 16:25:33 GMT

Restricted SAM is a good option.
As root you can set this up for the person(s) you want to have certain functions.
Just enter 'sam -r'
It's fairly straightforward....you should be able to set them up for only the functions you want them to have access too.

Regards,

Re: User Access Restriction

Antoanetta Naghiu — Sat, 02 Sep 2000 05:23:20 GMT

Restrictiv SAM (sam -r) for changing password give FULLY rights to the system! Give the right to change the root password as well!
If I was you, I better create a script under root ownership that replace the password field from /etc/password with a standard one (ex. encryption of password). Create a user that has the default shell this script and give permission to Help desk to execute it for normal user (not root, no bin, lp, and so one)...

Re: User Access Restriction

Richard Mertz — Sat, 02 Sep 2000 10:46:07 GMT

restricted SAM also can be configured to disallow changing certain users (root, lp, bin...). So the issue of giving restricted SAM should not be an issue for these. I have given restricted SAM to our Help Desk technicians and it works very well.

Re: User Access Restriction

Vincente Fernandes — Sun, 03 Sep 2000 07:04:27 GMT

User Restricted "sam -r". Also disallow password change for users like(root, daemon, bin, adm, lp ...) by your help desk users.
Create a script with suid bit and put the script path in the helpdesk users shell instead of normal shells like(/usr/sbin/sh, /usr/bin/ksh ....etc), thereby they can run the script/menu and wont have access to prompt nor to shell.

Re: User Access Restriction

Philip Chan_1 — Mon, 04 Sep 2000 08:51:11 GMT

In the /etc/passwd file, instead of giving a shell program for your help desk staffs to work with just change that to the /sbin/passwd, so everytime they logged in then only the passwd command will be triggered.

Re: User Access Restriction

Manju Kampli — Tue, 05 Sep 2000 05:29:00 GMT

you can write a simple shell program in which it shows a menu with two options passowrd and quit. and make this shell program as a default shell. So when a user logs in he gets this menu. If he wants he can change the password OR else he can quit the script which will logoff the user.
may be when the requirement changes, you can alter this shell program to add more options.