Operating System - HP-UX
1833873 Members
1763 Online
110063 Solutions
New Discussion

Re: Administrators users other than root

 
ALH
Occasional Advisor

Administrators users other than root

I want to set up extra administrator users for mine HP-UX systems so that i can let login root only from the console. What is the best way to do this and what is the best configuration (rights, groups etc) for mine administrator users.
This users must be able to do 90% or more of root?s work is my guess.
So, who can help me with this.
12 REPLIES 12
RikTytgat
Honored Contributor

Re: Administrators users other than root

Hi,

You could add some extra users with uid 0. This won't solve your problem, because they are treated as root users anyway. Besides, this is very bad practice (security).

The users requiring root access could of course use the su(1) command to become root.

An alternative would be to use sudo to give permission to non-root users to execute a limited set of commands as user root.

Hope this helps,
Rik.
Tim Malnati
Honored Contributor

Re: Administrators users other than root

Another possibility is with the use of restricted SAM. (sam -r). The only difficulty with this approach is that command line root activity is not allowed (there is no way of restricting command line actions for root). SAM has the capability of adding controlled processes to it. But then will SAM functions be enough for these sub-administrators or is it worht the time to write controlled processes for the needed functions that SAM does not include?
Ted Flanders_1
Advisor

Re: Administrators users other than root

I tried to change my UID to 0, it worked great, except I got all of roots mail and couldnt recieve my own mail any more. I dont know the answer to this question.......yet. There are 2 of us logging in as root, I would like to stop that and have us two have most of root privelages.
Rick Garland
Honored Contributor

Re: Administrators users other than root

Through the use of sudo you can not only provide the access to the commands but you will have good logging of who did what and when. Every command run through sudo is logged and that log file can be parsed out to provide counts.

sudo can be obtained from the porting center or from www.courtesan.com
Stefan Farrelly
Honored Contributor

Re: Administrators users other than root


Using other root accounts with the same uid:gid is exactly how HP sets up their own internal systems. So you have rootxx accounts. To ensure each receives their own mail add an entry to /etc/mail/aliases (eg. insert rootxx: ) that way each rootxx user has their own mail. If you want them to have their own homedirs then simply give them their own homedirs in the passwd file.

Im from Palmerston North, New Zealand, but somehow ended up in London...
Victor BERRIDGE
Honored Contributor

Re: Administrators users other than root

To continue after Stefan's reply, give each root account its own home directory (/etc/passwd), customize the .profile for a .sh_history for each, in order to log somewhere each connection when they su
create a logfile...
Dont forget after to deactivate root login :
put the word console in a file called /etc/securetty.
Kondaiah Vasuwandla
New Member

Re: Administrators users other than root

Hi,

The best way to do is use sudo.

Kondaiah
Wodisch
Honored Contributor

Re: Administrators users other than root

Hi,
take care to set the environment variale "MAILPATH" to your new rootxx admin's
mailbox AND to the original root's mailbox! That way the shell will notify you of
newly arrived mail for "root" and "rootxx".
And set the "HISTFILE" differently for all super-users.
HTH,
Wodisch
Account Not Used
Frequent Advisor

Re: Administrators users other than root

First of all you should never make other ID's other than root that have UID 0. It's ok to have other Sys. Admins have the root passwd as long as you have an audit trail. Anyone who has the root id should be force to use the "su" command to get root authority. This way there is an audit trail. This can be achieved by setting up the securetty file in /etc. This will allow one to login in directly as root only from the console and no where else. Of course sudo is an alternative to this problem.
"Who moved my cheese?"
Rick Garland
Honored Contributor

Re: Administrators users other than root

Adding additional users with UID=0 can be done and is being done. There is some work to it as the previous posts are indicating. When a user joins the group or leaves the group, there is that work again.

With the use of sudo, you only need to modify the sudoers file to add/delete users in a particular group function. No need to modify their mailbox, the HIST file, the passwd file, etc.

Another plus is if you don't want to give out the root passwd. Only a specific set of users can be listed in the sudoers file to have root access. In this way they can accomplish what needs to be done. All other users can be denied this access and if an attempt is made, the sudolog will note it as well as send an e-mail to the administrator.
Rick Garland
Honored Contributor

Re: Administrators users other than root

Adding additional users with UID=0 can be done and is being done. There is some work to it as the previous posts are indicating. When a user joins the group or leaves the group, there is that work again.

With the use of sudo, you only need to modify the sudoers file to add/delete users in a particular group function. No need to modify their mailbox, the HIST file, the passwd file, etc.

Another plus is if you don't want to give out the root passwd. Only a specific set of users can be listed in the sudoers file to have root access. In this way they can accomplish what needs to be done. All other users can be denied this access and if an attempt is made, the sudolog will note it as well as send an e-mail to the administrator.
Rick Garland
Honored Contributor

Re: Administrators users other than root

Adding additional users with UID=0 can be done and is being done. There is some work to it as the previous posts are indicating. When a user joins the group or leaves the group, there is that work again.

With the use of sudo, you only need to modify the sudoers file to add/delete users in a particular group function. No need to modify their mailbox, the HIST file, the passwd file, etc.

Another plus is if you don't want to give out the root passwd. Only a specific set of users can be listed in the sudoers file to have root access. In this way they can accomplish what needs to be done. All other users can be denied this access and if an attempt is made, the sudolog will note it as well as send an e-mail to the administrator.