Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Change owner to few user ids

unixadmin_1
Frequent Advisor

Change owner to few user ids

Hi Guys, Please reply with a proper solution with task mentioned below from one of the client....A number of user IDs (7%) had still not been assigned to specific owners. These IDs might therefore be shared by a number of staff members, with the result that it would not be possible to assign accountability for actions taken by way of such user IDs. Furthermore, if a user ID is not assigned to a specific owner no one could be held responsible for ensuring that the password is changed or that the confidentiality of the private login password is maintained.

Thank you


28 REPLIES
Pete Randall
Outstanding Contributor

Re: Change owner to few user ids

So what is the task?


Pete

Pete
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

Task:

do we need to take information like user ids and owners from the client in order to change owner for specific users

Thank you
Ganesan R
Honored Contributor

Re: Change owner to few user ids

Hi Unixadmin,

It looks like you got some feedback from security auditing team to fix some of the issues. I might be wrong.

Anyway, we are not able to understand the task which you need to complete. If you could clarify little more details of what you need, we try to help you out...
Best wishes,

Ganesh.
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

The above mentioned sentence is a issue from the cleint and i need to assign few user id's to the owners which should be specified..chown is a command and can you elaborately explain the command if i got user ids and owners specified.

Thank you
Jaime Bolanos Rojas.
Honored Contributor

Re: Change owner to few user ids

I did not understand either, in HP-UX when we create a user, a user ID will be bound to it, we usually don´t create user´s IDs without creating a user first.

Then the chown command is used to change who is the owner of a file, then again, here the system already got defined a user and its user ID. Of course we can have several user share the same user ID, in which case all of them will have the same rights, because unix only sees the user ID and not the name of the user that we specified.

Regards,

Jaime.
Work hard when the need comes out.
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

ur not understanding one thing here..if we got information of userid's and owners specified can we write the script to change or assign owners to specific userids...Thank you
Ganesan R
Honored Contributor

Re: Change owner to few user ids

Ok. This is the chown command syntax.

#chown file/dir

#chown username:group file/dir

#chown -R username:group dir
Best wishes,

Ganesh.
Patrick Wallek
Honored Contributor

Re: Change owner to few user ids

>>assign owners to specific userids

I'm still not clear on what you want to do.

The 'chown' command changes the ownership of a FILE or DIRECTORY. I don't think this is what you want to do.

What do you mean by "change the owner of an id"? Are you looking to have a specific person listed as the ID's owner in the GECOS information for the id in /etc/password?

For example:

user1:x:1000:100:MICKEY MOUSE:/home/user1:/bin/bash
user2:x:1004:100:MINNIE MOUSE:/home/user2:/bin/bash
www:x:1009:100:GENERIC USER:/home/www:/bin/bash

Given the users above, MICKEY MOUSE is the owner of user1 and MINNIE MOUSE owns user2. No one owns the www user. Is this where you want to "assign owners to specific userids"?

For the www user would you want something like:

www:x:1009:100:DONALD DUCK:/home/www:/bin/bash
change owners
Occasional Visitor

Re: Change owner to few user ids

what is understood by below mentioned statement?

A number of user IDs (7%) had still not been assigned to specific owners. These IDs might therefore be shared by a number of staff members, with the result that it would not be possible to assign accountability for actions taken by way of such user IDs. Furthermore, if a user ID is not assigned to a specific owner no one could be held responsible for ensuring that the password is changed or that the confidentiality of the private login password is maintained.

Thank you
Patrick Wallek
Honored Contributor

Re: Change owner to few user ids

>>>>>>>>>>
what is understood by below mentioned statement?

A number of user IDs (7%) had still not been assigned to specific owners. These IDs might therefore be shared by a number of staff members, with the result that it would not be possible to assign accountability for actions taken by way of such user IDs. Furthermore, if a user ID is not assigned to a specific owner no one could be held responsible for ensuring that the password is changed or that the confidentiality of the private login password is maintained.
<<<<<<<<<<<<<<


Here is what I gather from the above:

1) You are doing a user audit.
2) You somehow assign users as "owners" of IDs. How this is done is NOT clear.
3) 7% of your ID's do not have "owners" assigned.
4) There is concern that an id that does not have an "owner" will be difficult to trace if mis-used.

If I am wrong about the above, please correct me.

I also gather from previous statements that you want to know how to "assign an owner" to an ID, right?

This is typically done by modifying the comment field for the ID in the /etc/passwd file.

Assigning an "owner" to an ID has absolutely NOTHING to do with the chown command.

Say you have an id with the following in /etc/passwd:

www:*:30:1::/home/www:

There is no comment in the comment field for this id, which I guess indicates that there is no owner for this id.

To add a comment you can use the usermod command.

# usermod -c "MICKEY MOUSE" www

This command will add "MICKEY MOUSE" to the comment field for the www id, yielding the following in /etc/passwd:

www:*:30:1:MICKEY MOUSE:/home/www:

Is this what you require?
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

Urgent Request:-
Please can you load an emergency change to ensure that the system is in compliance by:-

1) Extract a recent report of user ids that do not have a specific owners assigned.
2) Assign owners to these userids
3) Extract a recent report of user ids that have UID of 0
4) Ensure that only Root has a UID of 0.

Please create before and after snapshots for evidence....


Due Date:-
Friday - 23 January 2009.

Evidence:-
Please submit evidence that this is complete and systems are in compliance.

Please let me know if you have queries or concerns with regards to this.
Torsten.
Acclaimed Contributor

Re: Change owner to few user ids

In my understanding you have "owners" of "userids", e.g.

You (unixadmin) are the owner of the userid "unixadmin", right?

On the other hand you have userids (let's say "someone01"), without a real user (human) who owns and is responsible for this userid, so that several people are using this certain userid.

Is this correct?

So you need to give each of your users his own login and delete all the "shared" users.

Only you can know what userids are "shared" that way, the system cannot know it.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Dennis Handly
Acclaimed Contributor

Re: Change owner to few user ids

>1) Extract a recent report of user ids that do
>3) Extract a recent report of user ids that have UID of 0
>4) Ensure that only Root has a UID of 0.

This awk script can do these:
awk -F: '
{
# print $1, $3, $5
if ($1 == "+") next
if ($5 == "") {
print "No user name for", $1
}
if ($3 == 0) {
print "superuser", $1, $5
if ($1 != "root") {
print "superuser but not root:", $1, $5, "<******"
}
}
}' /etc/passwd
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

as i am new to this environment please send me the correct script without any mistakes so that i will execute this one in root with no errors
Steven Schweda
Honored Contributor

Re: Change owner to few user ids

> Due Date:-
> Friday - 23 January 2009.

> as i am new to this environment please send
> me the correct script without any mistakes
> so that i will execute this one in root
> with no errors

It sounds as if you have less than a week to
find someone who can and will do your job for
you. Good luck with that.
TTr
Honored Contributor

Re: Change owner to few user ids

I have seen many of these audit reports. Torsten got it right. The problem is generic accounts on the server that are created to perform a function and not accounts that are attached to a specific person. Something like "dataload", "extract" or "dataxfer" that either are accessed/managed by several people or nobody is watching them and nobody knows what they do.

> I am new to this environment...

It looks like you are new to HP-UX and UNIX more than to your client's environment. I would take Steven's suggestion seriously!

You do NOT jump in a change everything according to the audit finds. You have to evaluate each finding on the IT side and take it up with the business that is using the server environment. If you change something according to the audit findings, the bussines will sufer and lose service and functionality. The business needs to understand the risk in each case and in many cases are willing to live with it. In many other cases the finding is only superficial and when you look deeper in it there is no need to do anything.
Dennis Handly
Acclaimed Contributor

Re: Change owner to few user ids

>send me the correct script without any mistakes so that i will execute this one in root with no errors

My script just prints things. You'll have to decide how to change things.
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

Hi dennis,

I need to confirm wheather the code mentioned is c program or shell program..As i am new to unix environment please let me know and also let me know how to compile and run shell script

Thank you very much
Dennis Handly
Acclaimed Contributor

Re: Change owner to few user ids

>I need to confirm whether the code mentioned is C program or shell program.

It should be obvious it isn't C. It is a sh/ksh script that invokes awk.

>let me know how to compile and run shell script

You can just cut & paste those lines into your shell. Or you can add "#!/usr/bin/ksh" to the top and create a script. Then make it executable: chmod a+x script-file
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

I got root access so can i run there creating a example file and how do we run this script and with what extension do we save the code mentioned
Bill Hassell
Honored Contributor

Re: Change owner to few user ids

> 1) Extract a recent report of user ids that do not have a specific owners assigned.

While there is no perfect answer, the easiest answer is that any userID that does not have a user name that is a known employee would fall into this class. So here are 'standard' owner-less logins:

lp
daemon
bin
sys
uucp
www

and so on. Now you have to defend the existence of these owner-less userIDs. That's easy: every Unix system requires administration IDs such as lp. If the userID is removed then a subsystem may break. If the auditor wants an owner for these administrative IDs, then tell them they are managed by the system administrators.

Now removing former employee logins or temporary logins requires a company policy. It is certainly possible that removing a userID and all the files they owned could have serious results -- most high security companies require that no account or user files be removed. Instead, all automated tools and scripts must be examined for validity or disabled.

> 2) Assign owners to these userids

Assign the root sysadmins to the accounts. But this is nothing but paperwork. The auditors are focusing on logins, not functionality.

> 3) Extract a recent report of user ids that have UID of 0

> 4) Ensure that only Root has a UID of 0.

Actually, both requirements can be met with one command:

logins -d

This should be a cron job for any secure system. What logins -d produces is a list of any UID that appears more than once, or nothing when there are no duplicate user IDs. This is regardless of whether they are UID 0 or some other UID. You don't want any duplicate UIDs. Many admins will create backdoors with a special login with UID 0. But this is exactly what a hacker would want and the point behind the auditor requirement. This poor technique is eliminated with tools such as sudo.


Bill Hassell, sysadmin
TTr
Honored Contributor

Re: Change owner to few user ids

> I need to confirm whether the code mentioned is C program or shell program
> I got root access...

@Dennis, Bill et al. I seriously think that even attempting to help in this situation is the wrong thing to do. There is a disaster about to occur. The best thing to do here for the original poster is to walk away from this job. I do realize that there are other factors that play here, job availability, desparation, outsourcing. And that there are many, many other postings with similar scenarios.
OldSchool
Honored Contributor

Re: Change owner to few user ids

"I got root access so can i run there creating a example file and how do we run this script and with what extension do we save the code mentioned..."

Unlike windows, the file types / extensions are, by and large, meaningless in unix. compilers use them to determine flavors of fortran (77/90), c (or c++). they can be useful for humans however, for example .awk might be an awk script, .pl for perl etc.

to be honest, it sounds like you are way in over your head here..
unixadmin_1
Frequent Advisor

Re: Change owner to few user ids

awk -F: '
{
# print $1, $3, $5
if ($1 == "+") next
if ($5 == "") {
print "No user name for", $1
}
if ($3 == 0) {
print "superuser", $1, $5
if ($1 != "root") {
print "superuser but not root:", $1, $5, "<******"
}
}
}' /etc/passwd

These are still turning around in my mind:
1)with what file name should i save the above code
2)under which directory folders should i save this.
3)how to run the above code please mention and reply me urgently