cancel
Showing results for 
Search instead for 
Did you mean: 

Enhanced security and SU

Eric van Dijken
Trusted Contributor

Enhanced security and SU

After enabling Enhanced Security on my HP Tru64 5.1B cluster, su - doesn't work anymore. Nor do suid scripts work.

Why? Is it just me or was it designed to do it this way.
How do i work around it or even disable this without disabling OSFC2 (Enhanced Security)?
Watch, Think and Tinker.
7 REPLIES
Ravi_8
Honored Contributor

Re: Enhanced security and SU

Hi Eric

it is designed to do like this.

you can make telnet 0 to login as root

$telnet 0
never give up
Eric van Dijken
Trusted Contributor

Re: Enhanced security and SU

A bit more research i came to this:

After adding the "user" to the system group (/etc/group) i can su -

As for the suid part, i just may have to write a wrapper for that.
Watch, Think and Tinker.
Ann Majeske
Honored Contributor

Re: Enhanced security and SU

Hi Eric,

You should never make suid scripts. It creates too much of a security risk.

Ann
Eric van Dijken
Trusted Contributor

Re: Enhanced security and SU

*grins*

Mayhaps, but i can't think of another way to put 30.000 users into different UNIX groups.
Don't think the /etc/group file was designed to handle these kind of numbers.

Ok, i can think of another way, i would like to use LDAP. But i am not in the position to implement a change to the ADS (Active directory) server. And building my own LDAP server is not permitted.
Watch, Think and Tinker.
Eric van Dijken
Trusted Contributor

Re: Enhanced security and SU

Hmm, i just came up with another way. Using ssh with empty passprases will work.

But that would change the UID and the GID and i would like to keep the UID the same and only change the GID.


(Yes, the correct question should have said SGID instead of SUID)
Watch, Think and Tinker.

Re: Enhanced security and SU

Use dop command, this allow user to execute a privileged program without knowing the root password.

Make new dop action:
# dop -a SuperUsers /bin/ksh

Add the oracle (username) in the file /etc/doprc in section

SuperUsers {
{ users { root oracle ...

Now the oracle user can run ksh on the root privilege by using the command:

username1@host > /usr/sbin/dop ksh

Eric van Dijken
Trusted Contributor

Re: Enhanced security and SU

That sounds like the same functionality as "sudo" would give.

Would have gotten you 10 points *grins*, if i hadn't made a typo. SUID should have been SGID.
After a few hours of UID/GID/SUID/SUIG/RUID/RGID/EUID/EGID searching and trying it was bound to happen somewere.

For example:

* user logs in
user.users <= UID/GID
* menu checks from application authorisation file if user is permitted access.
* selects menu option for application

user.applgroup
* run application

applid.applgroup is the application owner.
They can update the authorisation file without "root" loan rights. This way the applid user never gets root access (ever)
Watch, Think and Tinker.