topic Re: userid with multiple group in Operating System - HP-UX

userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 10:32:20 GMT

I have to give an access to one of our users to adm privileges and she is already in users group. can i add the same id in another group or have to create new id with different adm group. what is best way to handle this situation and how?
Thanks for help and input.

Re: userid with multiple group

Umapathy S — Mon, 27 Oct 2003 10:35:10 GMT

Cathy,
A user can be part of more than one group. But users will be the primary group in your case.
User newgrp command to change the group id temporarily.

HTH,
Umapathy

Re: userid with multiple group

Steven E. Protter — Mon, 27 Oct 2003 10:36:14 GMT

Fastest way to go:

Sam
Users

Pick the user.

Add secondary groups to the user. Do it carefully with the impact on security in mind.

SEP

Re: userid with multiple group

A. Clay Stephenson — Mon, 27 Oct 2003 10:37:25 GMT

You can simply edit the /etc/group file and add the user to additional group. The user's primary group remains the GID in the passwd entry. If you now link /etc/group and /etc/logingroup, the user will not be required to issue a newgrp command but automatically be checked for group membership.

Plan B. Use sudo to give this user access to certain commands.

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 10:47:34 GMT

Thanks for your sugessions.

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 11:18:58 GMT

I used sam to give access to additonal group but when i browse passwd file, I can not see additional group listed there.
Also I was not able to perform as root even I put myself in root group as well.

Re: userid with multiple group

Rainer von Bongartz — Mon, 27 Oct 2003 11:28:29 GMT

You will only see the primary group in /etc/passwd.
Take a look at /etc/groups.

Regards
Rainer

Re: userid with multiple group

Todd McDaniel_1 — Mon, 27 Oct 2003 11:29:06 GMT

If you added the group instead of changing the group, then the passwd file will only show the primary group.

Look in the /etc/group file for the additional group listing...

grep /etc/group
grep /etc/group

Re: userid with multiple group

Umapathy S — Mon, 27 Oct 2003 11:29:54 GMT

Cathy,
/etc/passwd contains the primary group id of the user. Userids are associated with the group than the other way round. Comma seperated User ids will be in the /etc/group file.
Check Clay's answer for completeness.

HTH,
Umapathy

Re: userid with multiple group

Sanjay_6 — Mon, 27 Oct 2003 11:32:50 GMT

Hi Cathy,

If you want your userid to act as root, change your UID in the /etc/passwd file to "0" or if you are using useradd command using the -o -g 0 option with the useradd command.

Hope this helps.

Regds

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 12:19:33 GMT

Thanks very much all.
I can user being added in group file under root. However I was not able to use useradd or other root privilages even I can see my user being added in root group as a secondary group.

Am i missing something?

Thanks again.

Re: userid with multiple group

A. Clay Stephenson — Mon, 27 Oct 2003 12:24:19 GMT

Being in group root is not the same as having a UID of zero. Group root only grants you access to some restricted files but it does nothing towards becomiing super-user. That is what setuid() is for.

Re: userid with multiple group

Umapathy S — Mon, 27 Oct 2003 12:26:17 GMT

Cathy,
Most of the admin commands need to be run as root. You can create or set your userid to 0 to effect the same. But for security reasons a big no for this.

HTH,
Umapathy

Re: userid with multiple group

Todd McDaniel_1 — Mon, 27 Oct 2003 12:41:37 GMT

Cathy,

Seems like you need to create a root2 user with a different pasword than you have for root, for this type of functionality or give Restricted SAM to the user who needs it.

I agree with above posters, never give a normal user 0 UID... but better have them su to a root2 account so that you can track it with the /var/adm/sulog.

Im guessing this person is fairly relaible and trustworthy that you can count on them to act responsibly. giving them a root2 account would be a good way of doing what you need OR a restricted SAM for their current user.

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 14:10:19 GMT

Thanks all.
Tod root2 senario sounds good.
as far as security tracking is concerned I have another question.
Is there a way to know the information about workstation also from where user is loged from.
I donot mean uname -a.
I would like real machine information (each organization gives a machine some kind of a tag # or name) and if a user telnet from one machine and issue some dangerous operation I would like to track which machine was logged in as root.
I am not sure if tty information has be translated and how or is there another way to track it.
Thanks again.

Re: userid with multiple group

A. Clay Stephenson — Mon, 27 Oct 2003 14:20:55 GMT

I would NEVER have more than one user with UID 0. That is simply asking for huge security problems. Once that person acquires UID 0, anything can be done. A much smarter way to give limited admin access to a user is through the sudo command.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.7p5/

Re: userid with multiple group

Patrick Wallek — Mon, 27 Oct 2003 14:25:24 GMT

To see who was logged in from where, you can do a 'last -R' and that will show each user and what machine name or IP address they connected from if they connected via telnet or rlogin.

# last -R root

To see where root logged in from.

I also agree with A. Clay...I do not recommend having more than 1 UID 0 user. If you must allow others to run commands only root can run, look at something like sudo.

Re: userid with multiple group

Todd McDaniel_1 — Mon, 27 Oct 2003 14:26:56 GMT

who -a shows all connections.
who -u shows all users logged in.
who -R shows basically the same as who -u does.

You can include in the /etc/profile or CRON job and check for access.

who -u > /var/adm/wholog

or better

who -R |mailx -s "users' Logged in" root

This will be run everytime someone logs into your host. AND cant be messed with b/c it is run as they log in.What Im not sure about is if the /etc/profile is sourced when you su to another user. I know it is sourced when you initially log in.

Also, you might have a CRON to compare /var/adm/sulog to sulog.diff every 15 minutes...

or run a wrapper to check for sulog modification instead of a cron every 15 minutes.

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 14:52:14 GMT

Thanks very much for help.

Re: userid with multiple group

Cathy Arora — Mon, 27 Oct 2003 15:59:57 GMT

last -R root works, however who -a does not show all users logged as they log in.
I would like this to work for security perpose.

I think there is an issue with sourcing etc/profile. first time login it will do.
I would to get informed via e-mail as somelogs in as root and machine info (last -R root)
any other ideas or readily available scripts.
Once again thanks.