Operating System - HP-UX
1833729 Members
2667 Online
110063 Solutions
New Discussion

Become root without asking password

 
SOLVED
Go to solution
Claudio_4
Occasional Contributor

Become root without asking password

Hi all,

Is it possible to change user becoming "root" without asking the password ?
In a user script, I have to launch a command as root and the user can't know the password for root.

can somebody help me ?

thank's in advance.
Claudio.
Claudio
19 REPLIES 19
Michael Tully
Honored Contributor

Re: Become root without asking password

I would set up 'sudo' to do this. There are many situations such as yours that this product will cater for. It is easy to compile, it is free and can be downloaded as a compiled version. Here are the links:

source
www.courtesan.com/sudo

Already compiled version from
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

HTH
-Michael
Anyone for a Mutiny ?
Thierry Poels_1
Honored Contributor

Re: Become root without asking password

Hi,

"sudo" might be the perfect solution, it allows you to grant permission to specific users for specific commands.

If it's an executable, you can set the "Set user ID on file execution" (chmod u+s) and make root the owner of the file: this will execute the file as root.

good luck,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
Rainer von Bongartz
Honored Contributor

Re: Become root without asking password

Become root without asking password cannot be what you really want 'cuase this is much to dangerous

Better use SETUID root on the file

chown root
chmod u+s

Now starting file will run with root permissions

Regards
Rainer



He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Deepak Extross
Honored Contributor

Re: Become root without asking password

Possible, but you could be opening up a huge security hole.

Consider doing this:
#chown root:sys #chmod +s
This should solve your problem.
Deepak Extross
Honored Contributor
Solution

Re: Become root without asking password

But if you really trust this user :-)
make the required entries in the /etc/hosts.equiv and .rhosts files, and let the user do a
$rlogin -l root

Marcin Wicinski
Trusted Contributor

Re: Become root without asking password

Hi,
Solution you suggest is very dangerous from the point of view of system security. I would recommend to prepare the script as root and give it a s permission (script is executed as invoked by root):

chmod u+s >script_name>
Marcin Wicinski
Volker Borowski
Honored Contributor

Re: Become root without asking password

If you set up a suid script,
remember to revoke write permission,
so nobody can change what is in the script !

Volker
Darrell Allen
Honored Contributor

Re: Become root without asking password

I'm sure a number of people will disagree but you should not set up any user (including sys admins) to be able to become root without a password. Sudo is a good answer though suid programs / scripts can work, they're just much more complex to set up.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
harry d brown jr
Honored Contributor

Re: Become root without asking password

You can't be serious about using this method:

But if you really trust this user :-)
make the required entries in the /etc/hosts.equiv and .rhosts files, and let the user do a
$rlogin -l root

Any user that knows your "trusted" users passwd can BECOME ROOT on your host. That's a violation of all security procedures and guidlines.

If you give that user access form another machine, then anyone can SPOOF your host into thinking they are the trusted host and the trusted user.



You really need to follow Rainer's advice:

chmod 555 <scriptname> #make sure no one can write to it
chown root <scriptname>
chmod u+s <scriptname>



live free or die
harry
Live Free or Die
Darrell Allen
Honored Contributor

Re: Become root without asking password

A few more points:

Setting up the rlogin has the end result of making the user superuser. So the user doesn't know the root password. Big deal. He no longer needs it.

If you use a suid script at least chgrp it to a private group (no one in that group in /etc/group except the ones you want to be able to run the script), chown root (required), and chmod 4550 (no world access, no write for anyone).

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
David Rodman
Frequent Advisor

Re: Become root without asking password

One alternative tactic that I have used successfully is to provide a SAM user profile. SAM can give a user the setuid to root and you can restrict what the user can do or see. But this is an HP only solution. I have GUI buttons for things like startup and shutdown of databases and other routine tasks.

Craig Rants
Honored Contributor

Re: Become root without asking password

I agree with Darrell, .rhosts is the worst way to do this. You have now advertised to the world that you let someone into your systems as root without a password. Plus you only gave points to the worst answer. Nothing against Deepak, but others have given you a secure and feasible answer.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Deepak Extross
Honored Contributor

Re: Become root without asking password

No fair!!

I did give Claudio the chown/chmod solution.
And, as an afterthought, added the information he asked for, all the while pointing out the security hazard.

Claudio_4
Occasional Contributor

Re: Become root without asking password

Hi all !

I thank's all for your help.

I choose the ".rhosts / host.equiv" solution.
In my implementation, it is not so dangerous I think (I hope !!).

My implementation:
- The script is a menu of some O.S. command that user can perform on the system.
- I launch my script from .profile of user.
- I have disabled "^C" for user
- Inside of script, I use "rsh" to launch the O.S. command that need to be launched as root.
- The script is write protected; only root can modify it.
- The script perform a "logout" when user choose "end-work" from his menu.


Thank's again.
Sorry, I can't assign point to all !!!

Bye
Claudio.



Claudio
Thierry Poels_1
Honored Contributor

Re: Become root without asking password

can't assign point to all ?!?

cannot or will not ??
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
John Ferrara
Frequent Advisor

Re: Become root without asking password

There is a product I use called Power Broker which allows users to "su" to root or any other privledged id and has the capability to remotely log all cmds entered. The user doesn't need the password. I don't like using it myself b/c the remote server that does the logging is connected via a slooow WAN which yields a long keyboard latency.
http://www.symark.com/powerbroker.htm

John
It was working fine when I left....what did you do?
Craig Rants
Honored Contributor

Re: Become root without asking password

Ok, Deepak, you did put in the other solution. The only reason I singled out the other answer was because Claudio gave points to that one and I assumed that was the one he was going to use.

Claudio,
Can't assign points! What did you mouse break?

I would contend that people are more likely to answer your questions if you have a good history of assigning points. Up to you however.
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
John Bolene
Honored Contributor

Re: Become root without asking password

Curious, he has been a member for 2.5 years and this is the first question posted.

He is also 1 for 16 in assigned points.

Make that 17 now.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Claudio_4
Occasional Contributor

Re: Become root without asking password

Sorry !!!!!!!!!! .

I'm a member from 2 years, but I'm new in the use of this forum ! (this is my first time !)

I was wrong in thinking that points is to be assigned only to the solution I choose for my problem.
Now I know !! I can assign point to all the answer.

Thank's again.


Claudio