topic Re: user with root access, but is not allowed to login in Operating System - HP-UX

user with root access, but is not allowed to login

Victor_5 — Thu, 30 Aug 2001 17:25:21 GMT

I am trying to create a new user with root access, but is not allowed to login, that means, I only can su to this user, is that possible? Why?

Re: user with root access, but is not allowed to login

Patrick Wallek — Thu, 30 Aug 2001 17:50:18 GMT

If you set up a user with an invalid password in the password filed in /etc/passwd, then you will only be able to do 'su - username' to get to that user. An invalid password would be a * in the password field in /etc/password.

Re: user with root access, but is not allowed to login

Sridhar Bhaskarla — Thu, 30 Aug 2001 17:51:03 GMT

I think /etc/securetty is effective for any user with id 0.

So, try out keeping "/dev/console" in /etc/securetty.

-Sri

Re: user with root access, but is not allowed to login

Victor_5 — Thu, 30 Aug 2001 18:21:14 GMT

Hi Patrick:

I did the test, changed the second field of that user in /etc/passwd to '*', but when I issued the 'su - username', it still need password, so I was unable to switch to that user.

From my understanding, the system still need to read /etc/passwd even you issue su, after input invalid password, of course I can not login, but I cannot su either. More detail information?

Hi Sridhar:
On my system, I could not find the file:
/etc/securetty?

Re: user with root access, but is not allowed to login

Madhu Sudhan_1 — Thu, 30 Aug 2001 18:30:16 GMT

Shawn :

With '*' in the pasword field, a use will never be able to login. Iam assuming that this particular user is created manually. So easiest way to get out this problem is to remove '*' in the /etc/passwd filed and leave it blank ( You should be able to see :: in the password field ) then issue passwd command to have some known password and then change user-id field /etc/passwd to 0.

...Madhu

Re: user with root access, but is not allowed to login

Victor_5 — Thu, 30 Aug 2001 18:52:10 GMT

Hi Madhu:

Good try! However, I need another different user not root, if change uid to 0 in /etc/passwd, when I create some file, the owner is root not another one which I need. Any other idea?

Re: user with root access, but is not allowed to login

Sridhar Bhaskarla — Thu, 30 Aug 2001 19:06:50 GMT

Shawn,

Simple

echo "/dev/console" >> /etc/securetty

And change the permissions to 600

-Sri

Re: user with root access, but is not allowed to login

Sridhar Bhaskarla — Thu, 30 Aug 2001 19:10:38 GMT

Sorry, one more idea.

As Patrick said, create a user with id 0 say superuser but keep the password as *. Now, this user cannot login because of the invalid password.

Keep .rhosts entry in superuser's home directory like this

your_system_name your_user

Now, your_user can successfully rlogin to the system and get in as the super_user.

This is a security violation. But having another user with uid 0 is more dangerous so I think this can be considered.

But /etc/securetty is the best way. This file will not be there by default. You need to create one.

-Sri

Re: user with root access, but is not allowed to login

Patrick Wallek — Thu, 30 Aug 2001 19:11:16 GMT

I think I see what you are trying to do, but I am not sure it is possible. For a user other than root, to have all the same privileges as root, it must have uid 0. You can't create a user and assign privileges to it so that it is "equivalent" to root.

If a user needs to be able to execute something as root you can try 'sudo'. Sudo can be downloaded from the porting center.
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

When I mentioned su'ing to a user with an invalid password, only root can do that. Sorry!

Re: user with root access, but is not allowed to login

Sridhar Bhaskarla — Thu, 30 Aug 2001 19:16:20 GMT

Sorry for one more mail. I am very young to this forum.

I think I didn't explain the process well in my previous mail. Let's take the following as examples.

SYSTEM=your_system
ROOTACCOUNT=super_user
ORDINARYUSER=your_user

Edit .rhosts under the home directory of super_user and place the entry

your_system your_user

Now your_user will login to your_system using the normal way as an ordinary user.

Once gets onto the system, he does an rlogin to the SAME system

your_user@your_system$ rlogin your_system -l super_user

super_user@your_system#

-Sri

Re: user with root access, but is not allowed to login

linuxfan — Thu, 30 Aug 2001 19:43:06 GMT

Hi Shawn,

How about trying something like this,
say you add a new user rroot with a uid of 0.

modify your /etc/profile by adding these

/Begin/

shellchk=$(ps -p $PPID | sed -n 2p | cut -c23 - | sed s/^-//)

if [[ $LOGNAME = "rroot" ]]
then
if [[ $shellchk = "telnetd" || $shellchk = "rlogind" ]]
then
echo "Sorry direct logging in as rroot is not allowed"
exit 1
fi
fi

/End/

what this would do is prevent rroot from directly logging in either by telnet or rlogind, if you use ssh, then you can probably add ssh as well.

I am sure there are lots of fine tuning you can do to this, but this seems to be working.

-Regards
Ramesh