cancel
Showing results for 
Search instead for 
Did you mean: 

root user profile corrupted

SOLVED
Go to solution
Ajin_1
Valued Contributor

root user profile corrupted

Experts

 

$ grep root /etc/passwd

 

root:XXXXXXXX:0:3::u:/sbin/sh 

 

root:XXXXXXXX:0:3::/:/sbin/sh   

 

Home Directory was /  ,instead of /  It modified as  u .

 

My doubt is any command will overrude this  or somebody edit the passwd file ?

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
6 REPLIES
Ken Grabowski
Respected Contributor

Re: root user profile corrupted

smh can be used to call the sam user tool, or usermod can be used to modify a user account.  However, both of these should refuse to work on the root account. I would guess that somebody edited the passwd file.  Make sure the file is owned root:sys and is set to 444 permissions.  Check the shell history for root. Make sure only trained authorized administrators have access to the root password. Better yet, force the use of RBAC or sudo to perform administrative tasks.

Ajin_1
Valued Contributor

Re: root user profile corrupted

Hi ken

Thanks for mail

How can I Check the shell history for root.

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Ken Grabowski
Respected Contributor

Re: root user profile corrupted

Normally it would be in the root home directory /.sh_history, if it was configured.  If it wasn't configured, then you may not have one.

Patrick Wallek
Honored Contributor

Re: root user profile corrupted

Check in roots home directory, / in this case, for a file like .sh_history or .history.  The file can be viewed via 'cat' or 'more'.  

Ajin_1
Valued Contributor

Re: root user profile corrupted

HI

 

I checked the history file .I thing it was not configured .

I understood someone edit the password file .But root only do this .I didnt find any oneone do su at that time Period .Is any other way to find this whom do vi like vi logs or the logs captured other than syslog wtmp and su log

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Ken Grabowski
Respected Contributor
Solution

Re: root user profile corrupted

Did you verify that /etc/passwd was owned root:sys and set to 444 mode? If permissions are not restricted, then others might be able to edit.  There should be tight control of the root account. In some shops I've worked, only the security team had the password and even HP-UX Engineers had to use RBAC or sudo to do administrative tasks.  At a minimum only one or two experienced administrators should have it and you should configure the shell history.  The vi editor does not have a history or log function.  I doubt that you can determine the offender at this time. Even with shell history and system auditing enabled, you might have a hard time determining who did it.  If you force administrators to use RBAC and sudo to gain root privilege and add the base UID to the root .sh_history.$UID file, you might be able to see who had vi'ed the passwd file in the future.