Operating System - HP-UX
1833870 Members
1441 Online
110063 Solutions
New Discussion

Re: Changing Root Password

 
SOLVED
Go to solution
CCP_LAB Admin
New Member

Changing Root Password

In HP systems To My Knowledge it's easy to change the root password if you know how to go to single user mode.We are handling
multiple Tier3,2,1 Machines/Workstation. So If any user know how to
go to Single user mode can change the root password,I feel this as less system security. Is there any way to avoid this?

I Know in Sun No User can change the Password Until he Mount the
root File System,Please Suggest any Solutions.

Thanks in Advance.
Try,Try,Try Again ..
10 REPLIES 10
Rick Garland
Honored Contributor

Re: Changing Root Password

The root passwd can be changed while in multi-user mode as well.
Patrick Wallek
Honored Contributor

Re: Changing Root Password

It is only insecure if you have a lot of people that know the root password and/or have permission to execute the shutdown command. The file /etc/shutdown.allow allows you to control who can and can't execute the shutdown command. If you set up the shutdown.allow so that only root can shutdown the machine and don't give out the root password, then I think you are OK.

Brian Taylor
Advisor

Re: Changing Root Password

Dropping a machine into single user mode is not something a regular user should be able to. Who has the ability to reboot/shutdown the machine?
CCP_LAB Admin
New Member

Re: Changing Root Password

Thankyou for your replies.I'm Sorry I didn't mention the question clearly. What I mean exactly is Not By regular Shutdown or in multiuser level, If a user hit the Power Button and after that when
he hits the esc key and type relevant key he can change the passwd
in his workstation.

I would like to avoid it. Is there a way?
Try,Try,Try Again ..
Joseph C. Denman
Honored Contributor

Re: Changing Root Password

Change your system security policies to require a password into single user mode?

***warning*** This makes it a bit tricky if password is forgotton!!!
If I had only read the instructions first??
Bruce Regittko_1
Esteemed Contributor

Re: Changing Root Password

Hi,

You can convert your system to a trusted system. Then it will prompt you for a password before booting to run level s. Be advised that a trusted system comes with some overhead. Investigate whether or not it is right for your system before converting.

On another note, if you have rather lax physical security on your server, then yes, anyone can push the power switch and reboot your machine. However, even a trusted system is not secure since the machine can be booted off of a cdrom with a recovery shell. From the recovery shell, one can mount the root filesystem and change/clear the root password.

--Bruce
www.stratech.com/training
CCP_LAB Admin
New Member

Re: Changing Root Password

Thanks for the suggestion.
We are running NIS in 10.20 so we can't Change our System to
Trusted System. Please Advice Me Wether I can Set the Password
to go to Single user Mode.

Thanks in Advance.
Try,Try,Try Again ..
Patrick Wallek
Honored Contributor
Solution

Re: Changing Root Password

Since you are running NIS and can't convert to a trusted system, you are, unfortunately, out of luck.

Here is an excerpt from this document on the ITRC:
http://us-support2.external.hp.com/cki/bin/doc.pl/sid=dd1dcf7d065a6cb090/screen=ckiDisplayDocument?docId=200000048456189


PROBLEM
How can HP-UX be configured so that it requires a root password when booting into single-user mode?

RESOLUTION

The only way to require a login when booting into single-user mode is to set the boot_authentication flag on a trusted system. If the system is not trusted, this option is not available.
Bill Hassell
Honored Contributor

Re: Changing Root Password

You can add a password request into /etc/profile. Check that /etc/profile is running in single user mode (hint: /sbin/who -r or getrunlvl -r). Due to a bug in who -r, it sometimes reports run level 3 in single user mode. In that case, just test that /usr is not mounted which means single user mode. You might try coding the tests into an executable so knowledgeable users won't be able to read the steps in /etc/profile.


Bill Hassell, sysadmin
CCP_LAB Admin
New Member

Re: Changing Root Password

Thankyou Very Much for all of you.
I got the Answer from Patrick and as well as from Bill.
Try,Try,Try Again ..