https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500057#M883166 Thankyou for your replies.I'm Sorry I didn't mention the question clearly. What I mean exactly is Not By regular Shutdown or in multiuser level, If a user hit the Power Button and after that when<BR />he hits the esc key and type relevant key he can change the passwd<BR />in his workstation.<BR /><BR />I would like to avoid it. Is there a way?<BR /> Thu, 01 Mar 2001 20:22:05 GMT CCP_LAB Admin 2001-03-01T20:22:05Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500053#M883162 In HP systems To My Knowledge it's easy to change the root password if you know how to go to single user mode.We are handling<BR />multiple Tier3,2,1 Machines/Workstation. So If any user know how to<BR />go to Single user mode can change the root password,I feel this as less system security. Is there any way to avoid this?<BR /><BR />I Know in Sun No User can change the Password Until he Mount the <BR />root File System,Please Suggest any Solutions.<BR /><BR />Thanks in Advance. Thu, 01 Mar 2001 19:35:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500053#M883162 CCP_LAB Admin 2001-03-01T19:35:45Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500054#M883163 The root passwd can be changed while in multi-user mode as well. Thu, 01 Mar 2001 19:39:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500054#M883163 Rick Garland 2001-03-01T19:39:13Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500055#M883164 It is only insecure if you have a lot of people that know the root password and/or have permission to execute the shutdown command. The file /etc/shutdown.allow allows you to control who can and can't execute the shutdown command. If you set up the shutdown.allow so that only root can shutdown the machine and don't give out the root password, then I think you are OK.<BR /><BR /> Thu, 01 Mar 2001 19:56:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500055#M883164 Patrick Wallek 2001-03-01T19:56:31Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500056#M883165 Dropping a machine into single user mode is not something a regular user should be able to. Who has the ability to reboot/shutdown the machine? Thu, 01 Mar 2001 19:57:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500056#M883165 Brian Taylor 2001-03-01T19:57:56Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500057#M883166 Thankyou for your replies.I'm Sorry I didn't mention the question clearly. What I mean exactly is Not By regular Shutdown or in multiuser level, If a user hit the Power Button and after that when<BR />he hits the esc key and type relevant key he can change the passwd<BR />in his workstation.<BR /><BR />I would like to avoid it. Is there a way?<BR /> Thu, 01 Mar 2001 20:22:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500057#M883166 CCP_LAB Admin 2001-03-01T20:22:05Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500058#M883167 Change your system security policies to require a password into single user mode?<BR /><BR />***warning*** This makes it a bit tricky if password is forgotton!!! Thu, 01 Mar 2001 21:12:57 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500058#M883167 Joseph C. Denman 2001-03-01T21:12:57Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500059#M883168 Hi,<BR /><BR />You can convert your system to a trusted system. Then it will prompt you for a password before booting to run level s. Be advised that a trusted system comes with some overhead. Investigate whether or not it is right for your system before converting.<BR /><BR />On another note, if you have rather lax physical security on your server, then yes, anyone can push the power switch and reboot your machine. However, even a trusted system is not secure since the machine can be booted off of a cdrom with a recovery shell. From the recovery shell, one can mount the root filesystem and change/clear the root password.<BR /><BR />--Bruce Fri, 02 Mar 2001 02:55:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500059#M883168 Bruce Regittko_1 2001-03-02T02:55:02Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500060#M883169 Thanks for the suggestion.<BR />We are running NIS in 10.20 so we can't Change our System to<BR />Trusted System. Please Advice Me Wether I can Set the Password<BR />to go to Single user Mode.<BR /><BR />Thanks in Advance. Fri, 02 Mar 2001 14:57:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500060#M883169 CCP_LAB Admin 2001-03-02T14:57:29Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500061#M883170 Since you are running NIS and can't convert to a trusted system, you are, unfortunately, out of luck.<BR /><BR />Here is an excerpt from this document on the ITRC:<BR /><A href="http://us-support2.external.hp.com/cki/bin/doc.pl/sid=dd1dcf7d065a6cb090/screen=ckiDisplayDocument?docId=200000048456189" target="_blank">http://us-support2.external.hp.com/cki/bin/doc.pl/sid=dd1dcf7d065a6cb090/screen=ckiDisplayDocument?docId=200000048456189</A><BR /><BR /><BR />PROBLEM<BR />How can HP-UX be configured so that it requires a root password when booting into single-user mode?<BR /><BR />RESOLUTION<BR /><BR />The only way to require a login when booting into single-user mode is to set the boot_authentication flag on a trusted system. If the system is not trusted, this option is not available. Fri, 02 Mar 2001 15:28:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500061#M883170 Patrick Wallek 2001-03-02T15:28:18Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500062#M883171 You can add a password request into /etc/profile. Check that /etc/profile is running in single user mode (hint: /sbin/who -r or getrunlvl -r). Due to a bug in who -r, it sometimes reports run level 3 in single user mode. In that case, just test that /usr is not mounted which means single user mode. You might try coding the tests into an executable so knowledgeable users won't be able to read the steps in /etc/profile. Sat, 03 Mar 2001 03:30:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500062#M883171 Bill Hassell 2001-03-03T03:30:18Z https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500063#M883172 Thankyou Very Much for all of you.<BR />I got the Answer from Patrick and as well as from Bill. Tue, 06 Mar 2001 17:20:57 GMT https://community.hpe.com/t5/operating-system-hp-ux/changing-root-password/m-p/2500063#M883172 CCP_LAB Admin 2001-03-06T17:20:57Z