HPE Community
Operating System - HP-UX
1833811 Members
3687 Online
110063 Solutions
New Discussion

Authentication question from HP labs

 
SOLVED
Go to solution
Brad Klein
Advisor

‎03-02-2004 06:21 AM

‎03-02-2004 06:21 AM

Authentication question from HP labs

The HP Partition Management group would like to understand how system administrators are authenticated and authorized to perform system administrations tasks in your environment.

1) Are system administrators in your environment given the root password?

2) If yes, do system administrators typically authenticate (login) to the system as root?

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Thanks in advance for your valuable responses,

HP Partition Management group.
0 Kudos
Reply
74 REPLIES 74
Pete Randall
Outstanding Contributor

‎03-02-2004 06:24 AM

‎03-02-2004 06:24 AM

Solution

Re: Authentication question from HP labs

Brad,

In my environment, I'm the only SysAdmin (though my DBA has some limited expertise). We log in as ourselves and use su to gain root privileges. With only the two of us, auditing and restricting privileges and the like have never been an issue, so we do not use sudo or anything.


Pete

Pete
Reply
Steven E. Protter
Exalted Contributor

‎03-02-2004 06:25 AM

‎03-02-2004 06:25 AM

Re: Authentication question from HP labs

Answers:


1) Are system administrators in your environment given the root password?

Yes, we have only one full time and one backup.

2) If yes, do system administrators typically authenticate (login) to the system as root?

Currently we allow root login. We are considering requiring su - from a normal user id.


3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Currently testing sudo, not decided on how to proceed.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Patrick Wallek
Honored Contributor

‎03-02-2004 06:27 AM

‎03-02-2004 06:27 AM

Re: Authentication question from HP labs

1) Yes! (I'm not sure I'd work somewhere the SA's didn't have the root password)

2) Depends. I usually log on to the system with a generic id and then 'su -' as necessary.

3) N/A

4) Yes we use sudo as well for some things.

Reply
Dave La Mar
Honored Contributor

‎03-02-2004 06:32 AM

‎03-02-2004 06:32 AM

Re: Authentication question from HP labs

#1) Yes

#2) Yes

#3-4) su is also used.

Small shop, 1 full time HP SA, and one manager as SA for all platforms.

Regards,

dl
"I'm not dumb. I just have a command of thoroughly useless information."
Reply
Dave Hutton
Honored Contributor

‎03-02-2004 07:26 AM

‎03-02-2004 07:26 AM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

Yes and actually our DBA's have it too. They are only "supposed" to use it for installing oracle. But we've caught them doing other things.


2) If yes, do system administrators typically authenticate (login) to the system as root?

This place any generic accounts people log in directly (oracle, root, application related, ...)

A prior company I worked at you couldn't log as root or oracle directly. You had to su from your user up to it.

3) Even though I answered yes to both 1&2 there have been causes where we tried using sudo.

4) Yes, mostly it was brought in for applications that shouldn't of been installed as root, to allow the application people start and stop it.
Reply
Paul Cross_1
Respected Contributor

‎03-02-2004 07:32 AM

‎03-02-2004 07:32 AM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

Yes.

2) If yes, do system administrators typically authenticate (login) to the system as root?

no, we login as ourselves, and su - root.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

su - root.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

Yes. some application administration done by other groups require elevated privileges, for this we use sudo, never "sudo su, sudo vi, etc." however.
Reply
Michael Tully
Honored Contributor

‎03-02-2004 08:27 AM

‎03-02-2004 08:27 AM

Re: Authentication question from HP labs

1) Yes. I did work at a place once, where we did not have root passwords at all, but had to use a tool called 'qsu'

2) We use 'sudo' on most systems and only use the root password from a secret cheat sheet only when absolutely necessary. No system is allowed direct root access other than from the console.

3) sudo

4) No - If root access is required, then any scripts etc that must be run are done by the SA.
Anyone for a Mutiny ?
Reply
Robert-Jan Goossens
Honored Contributor

‎03-02-2004 08:54 AM

‎03-02-2004 08:54 AM

Re: Authentication question from HP labs

-1- Yes

-2- No,generic account + sudo

-3- su - + sudo

-4- sudo
Reply
G. Vrijhoeven
Honored Contributor

‎03-02-2004 09:06 AM

‎03-02-2004 09:06 AM

Re: Authentication question from HP labs

Hi,

1) No but an envelope containing the root passwd in case of an emergency (console login)

2) No, they log in as users. The admins can become root providing theire own passwd.

3) (GSP web)Console login. if server crashes, and a tool called be root is provided for elevated privileges

4) be root is a simular tool. I used to work with sudo.

Regards,

Gideon

4)

Reply
Denver Osborn
Honored Contributor

‎03-02-2004 09:14 AM

‎03-02-2004 09:14 AM

Re: Authentication question from HP labs

1) yes

2) no (try to use only as last resort)

3) login as self then su to root

4) no other utils used.

we try to avoid any direct root logins, and each admin who su's to root has their own shell history (.sh_username)

hope this helps,
-denver
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-02-2004 09:25 AM

‎03-02-2004 09:25 AM

Re: Authentication question from HP labs

1) Yes
2) Only if they don't mind being adjusted with a baseball bat. There's nothing like being your own worst enemy.
3) su - root
4) Yes, sudo or custom setuid C programs
If it ain't broke, I can fix that.
Reply
H.Merijn Brand (procura
Honored Contributor

‎03-02-2004 10:24 AM

‎03-02-2004 10:24 AM

Re: Authentication question from HP labs

1) Worse: all the users know the root passwords, but then again, we have only 8 users, and all of them have to perform administration once in a while
2) Yes. Worst think someone can do is stayed login as root. Do your thing and logout is the rule we use. Noone `works' as root: stronly forbidden.
3) su root
4) yes, sudo slightly patched - and I will not elaborate on how and why for obvious security reasons

Enjoy, Have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
Reply
Rodney Hills
Honored Contributor

‎03-02-2004 10:28 AM

‎03-02-2004 10:28 AM

Re: Authentication question from HP labs

1) SA does have the root password (only me)
2) I login as myself, then do a "su" for root access
3/4) Everyone else goes through "sudo".

-- Rod Hills
There be dragons...
Reply
James A. Donovan
Honored Contributor

‎03-02-2004 10:37 AM

‎03-02-2004 10:37 AM

Re: Authentication question from HP labs

1) Yes they are.
2) No. They login under their individual accounts
3) We use sudo for most commands that require root privileges, otherwise we login on the console.
4) Sudo
Remember, wherever you go, there you are...
Reply
Seth Parker
Trusted Contributor

‎03-02-2004 04:31 PM

‎03-02-2004 04:31 PM

Re: Authentication question from HP labs

1. Yes
2. No, except from console for reboots, etc.
3. Login as self then su -
4. Nothing at the moment

It's always nice to be able to provide input!

Regards,
Seth
Reply
Ravi_8
Honored Contributor

‎03-02-2004 05:46 PM

‎03-02-2004 05:46 PM

Re: Authentication question from HP labs

Hi

1. Yes, sys admin will be having root passwd
2. No.
3.sys admin login using his id and then su to be root
4.we use sudo to give access to users to perform only swinstall/swremove
never give up
Reply
Rainer von Bongartz
Honored Contributor

‎03-02-2004 05:52 PM

‎03-02-2004 05:52 PM

Re: Authentication question from HP labs

1) NO, the root password is split between two people and both parts are stored in a safe for emergency needs .

2) n.a.

3) one person can use "sudo su -" to gain root priviliges, the other must use "sudo "

4) sudo
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Reply
Robert Binkhorst
Trusted Contributor

‎03-02-2004 06:09 PM

‎03-02-2004 06:09 PM

Re: Authentication question from HP labs

Hi Brad,

1) Are system administrators in your environment given the root password?

Yes. All SA's know the root password. It is changed every month though.

2) If yes, do system administrators typically authenticate (login) to the system as root?

We do at the moment. We're implementing LDAP and will force everyone to login as themselves and su or sudo. Then, only root access to the console will be allowed. Consoles can only be reached through a separate network.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We're moving to sudo for specific application and monitoring tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We're using a sudo version from the HP porting archive, I would like to see a HP supplied one come out though.
linux: the choice of a GNU generation
Reply
Vijaya Kumar_3
Respected Contributor

‎03-02-2004 06:17 PM

‎03-02-2004 06:17 PM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

YES, We change this every month.

2) If yes, do system administrators typically authenticate (login) to the system as root?

No, every admin in our environment is having their own user accounts. We login to unix oxes using SSH with this account. We use su to change to root. NO Direct root logins are allowed.

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We su to root. In trusted systems we have sudo installed. We use sudo to do admini tasks.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names.

We use only sudo as of now.

Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
Reply
Jakes Louw
Trusted Contributor

‎03-02-2004 06:30 PM

‎03-02-2004 06:30 PM

Re: Authentication question from HP labs

1) Are system administrators in your environment given the root password?

No

2) If yes, do system administrators typically authenticate (login) to the system as root?

N/A

3) If you answered 'No' to either or both of the first two questions, how do administrators perform tasks which require elevated privileges?

We use a product called Omniguard that sets up profiles and does keystroke logging. SAs log in using their private accounts, then perform "/usr/local/bin/pmrun su -", after which the SA is prompted to supply a profile password. After that, all access is equivalent to full root access.

4) Do you make use of utilities such as "sudo" or "super" which elevate privileges for the purposes of system administration? If yes, please list the specific utility or product names

I understand that Omniguard is based on SUDO with an extensive shell around it.
Trying is the first step to failure - Homer Simpson
Reply
MarkSyder
Honored Contributor

‎03-02-2004 06:46 PM

‎03-02-2004 06:46 PM

Re: Authentication question from HP labs

Yes to questions 1 and 2.

I give limited super user priviledges to other users via sudo.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
Reply
Kurt Beyers.
Honored Contributor

‎03-02-2004 07:29 PM

‎03-02-2004 07:29 PM

Re: Authentication question from HP labs

1. Yes

2. logon with their own user and su - then

3. /

4. sudo or super is not being used for the moment.

best regards,
Kurt
Reply
Mark Grant
Honored Contributor

‎03-02-2004 07:45 PM

‎03-02-2004 07:45 PM

Re: Authentication question from HP labs

All system administrators are not only given but also admin the root passwords.

Typically we log in as a normal user and su - . One exception to this is when doing work at the system console.

We do not use "sudo" but do occasionally use SETUID binaries.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Tomek Gryszkiewicz
Trusted Contributor

‎03-02-2004 08:58 PM

‎03-02-2004 08:58 PM

Re: Authentication question from HP labs

1. Yes
2. usually yes, but not all
3. su
4. For some users we are using sudo with the privilage for use one command only.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.