HPE Community
Operating System - HP-UX
1829107 Members
2706 Online
109986 Solutions
New Discussion

disable certain user login but allow su -

 
Steve Blackwell
Occasional Advisor

‎05-23-2006 01:54 AM

‎05-23-2006 01:54 AM

disable certain user login but allow su -

I very quick easy question I hope.

On a HP-UX 11.11 system that uses a tcb database is it possible to stop certain users from logging in interactively but allowing su access to them.

I know I could do something with their .profile, but I was wondering if it is possible to do this with a setting in the /etc/passwd file or in the tcb database?
0 Kudos
8 REPLIES 8
Enrico P.
Honored Contributor

‎05-23-2006 02:05 AM

‎05-23-2006 02:05 AM

Re: disable certain user login but allow su -

Hi,
you can try to put a * simbol in the password field in the /etc/passwd file.

Enrico
0 Kudos
Enrico P.
Honored Contributor

‎05-23-2006 02:05 AM

‎05-23-2006 02:05 AM

Re: disable certain user login but allow su -

Hi,
you can try to put a * simbol in the password field in the /etc/passwd file.

Remember to save you passwd file first

Enrico
0 Kudos
Steve Blackwell
Occasional Advisor

‎05-23-2006 02:12 AM

‎05-23-2006 02:12 AM

Re: disable certain user login but allow su -

Because the system is trusted the * in the /etc/passwd file already exists.

Is there a setting for the tcb database?

Steve
0 Kudos
Rick Garland
Honored Contributor

‎05-23-2006 02:30 AM

‎05-23-2006 02:30 AM

Re: disable certain user login but allow su -

As a trusted system, you will want the /tcb/files/auth directory area. From this point the subdirectory would match the 1st letter of the account name.
Example, for the root account, /tcb/files/auth/r (root starts with the letter 'r' so proceed down this subdirectory)

Put a star in the passwd field in here and you will lock the account.

HPUX does not really have Role Based Access Control (RBAC) until version 11.23.

There are numerous previous posts concerning this subject.

0 Kudos
Rick Garland
Honored Contributor

‎05-23-2006 03:50 AM

‎05-23-2006 03:50 AM

Re: disable certain user login but allow su -

In rethinking, the better option would be to use the modprpw command to lock the accounts. No need to fool around in the tcb database by yourself. Let the command do it for you.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎05-23-2006 03:56 AM

‎05-23-2006 03:56 AM

Re: disable certain user login but allow su -

However, you should note that if you lock the account either by entering an impossible passwd hash (e.g. '*') or by explicitly locking the account via passwd -l or modprpw the only a superuser will be able to su to that account; all other users will be prompted for a password or told that the account is locked.
If it ain't broke, I can fix that.
0 Kudos
Bill Thorsteinson
Honored Contributor

‎05-23-2006 04:04 AM

‎05-23-2006 04:04 AM

Re: disable certain user login but allow su -

Lock the password as noted above and use
the sudo package to su to the account.
The password prompted for by sudo is the account executing the su command not the
target account. su will be done as system
and will not require an active password.
0 Kudos
Steve Blackwell
Occasional Advisor

‎05-24-2006 08:42 PM

‎05-24-2006 08:42 PM

Re: disable certain user login but allow su -

You have all confirmed my thoughts.

Cheers

Steve
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.