HPE Community
Operating System - HP-UX
1752341 Members
5546 Online
108787 Solutions
New Discussion

Re: root user profile corrupted

 
SOLVED
Go to solution
Ajin_1
Valued Contributor

‎01-03-2013 05:45 AM

‎01-03-2013 05:45 AM

root user profile corrupted

Experts

 

$ grep root /etc/passwd

 

root:XXXXXXXX:0:3::u:/sbin/sh 

 

root:XXXXXXXX:0:3::/:/sbin/sh   

 

Home Directory was /  ,instead of /  It modified as  u .

 

My doubt is any command will overrude this  or somebody edit the passwd file ?

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
6 REPLIES 6
Ken Grabowski
Respected Contributor

‎01-03-2013 06:21 AM

‎01-03-2013 06:21 AM

Re: root user profile corrupted

smh can be used to call the sam user tool, or usermod can be used to modify a user account.  However, both of these should refuse to work on the root account. I would guess that somebody edited the passwd file.  Make sure the file is owned root:sys and is set to 444 permissions.  Check the shell history for root. Make sure only trained authorized administrators have access to the root password. Better yet, force the use of RBAC or sudo to perform administrative tasks.

0 Kudos
Reply
Ajin_1
Valued Contributor

‎01-03-2013 07:14 AM

‎01-03-2013 07:14 AM

Re: root user profile corrupted

Hi ken

Thanks for mail

How can I Check the shell history for root.

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Ken Grabowski
Respected Contributor

‎01-03-2013 07:42 AM

‎01-03-2013 07:42 AM

Re: root user profile corrupted

Normally it would be in the root home directory /.sh_history, if it was configured.  If it wasn't configured, then you may not have one.

0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎01-03-2013 07:43 AM

‎01-03-2013 07:43 AM

Re: root user profile corrupted

Check in roots home directory, / in this case, for a file like .sh_history or .history.  The file can be viewed via 'cat' or 'more'.  

0 Kudos
Reply
Ajin_1
Valued Contributor

‎01-04-2013 05:00 AM

‎01-04-2013 05:00 AM

Re: root user profile corrupted

HI

 

I checked the history file .I thing it was not configured .

I understood someone edit the password file .But root only do this .I didnt find any oneone do su at that time Period .Is any other way to find this whom do vi like vi logs or the logs captured other than syslog wtmp and su log

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Ken Grabowski
Respected Contributor

‎01-04-2013 05:21 AM

‎01-04-2013 05:21 AM

Solution

Re: root user profile corrupted

Did you verify that /etc/passwd was owned root:sys and set to 444 mode? If permissions are not restricted, then others might be able to edit.  There should be tight control of the root account. In some shops I've worked, only the security team had the password and even HP-UX Engineers had to use RBAC or sudo to do administrative tasks.  At a minimum only one or two experienced administrators should have it and you should configure the shell history.  The vi editor does not have a history or log function.  I doubt that you can determine the offender at this time. Even with shell history and system auditing enabled, you might have a hard time determining who did it.  If you force administrators to use RBAC and sudo to gain root privilege and add the base UID to the root .sh_history.$UID file, you might be able to see who had vi'ed the passwd file in the future.

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.