HPE Community
Operating System - HP-UX
1834103 Members
2486 Online
110063 Solutions
New Discussion

Re: Doing root tasks without root access

 
SOLVED
Go to solution
emealogistics
New Member

‎05-25-2007 07:20 PM

‎05-25-2007 07:20 PM

Doing root tasks without root access

Hi everyone

I have been asked to do the following jobs without having root/sudo/SAM access or access to command passwd (except for changing my own password)

1) create users
2) change password of other users
3) enable /disable users
4) kill processes not belonging to me/group

Is there any way to do this?

regards
0 Kudos
Reply
7 REPLIES 7
Robert-Jan Goossens
Honored Contributor

‎05-25-2007 10:36 PM

‎05-25-2007 10:36 PM

Re: Doing root tasks without root access

Hi,

The easiest way is to install and configure sudo, sudo will let you perform admin(root) tasks under your own userid. In you case you would need to configure the root commands useradd, userdel, passwd, usermod and kill.

docs
http://www.courtesan.com/sudo/intro.html

software
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p12/

Regards,
Robert-Jan

Regards,
Robert-Jan
0 Kudos
Reply
emealogistics
New Member

‎05-25-2007 11:17 PM

‎05-25-2007 11:17 PM

Re: Doing root tasks without root access

Hi Rob

Thanks for replying. Unfortunately I will not be able to get sudo rights (makes no sense to me).

The reason why they won't allow me use of passwd is that they think that I can change the password for root. Is it possible to have rights to passwd and not change the root password?
0 Kudos
Reply
DCE
Honored Contributor

‎05-26-2007 01:29 AM

‎05-26-2007 01:29 AM

Re: Doing root tasks without root access



you can look at restricted SAM

sam -r to configure.

it allows a user access to only those processes defined to their id
0 Kudos
Reply
OldSchool
Honored Contributor

‎05-26-2007 02:34 AM

‎05-26-2007 02:34 AM

Solution

Re: Doing root tasks without root access

what "they" need to do to make this happen is right a wrapper script that runs passwd, and then allow you to sudo the wrapper.

the wrapper would examine the userid that you are attempting to change and then either allow it or not.

you can't perform the task specified in the environment you described...(ie no sudo, sam....)
Reply
Patrick Wallek
Honored Contributor

‎05-26-2007 03:01 AM

‎05-26-2007 03:01 AM

Re: Doing root tasks without root access

You CAN NOT do those tasks without some sort of root level access. It is IMPOSSIBLE!

You MUST be able to run the commands as root to: create users, change other users passwords, enable/disable users and kill others processes.

Now that being said, one option may be to write a script / program that runs as a setuid program (ie. permissions are something like root:security for owner group and rwsr-x--- for permissions) that will give you menu choices and ask you to enter the appropriate user you wish to modify. This program / script can do a check to see if you enter 'root' for a user name. If you do, it could throw an error.

Access to this could be controlled by creating a "security" group. Whoever needs to run this program / script gets added to the security group.

Reply
Bill Hassell
Honored Contributor

‎05-26-2007 03:45 AM

‎05-26-2007 03:45 AM

Re: Doing root tasks without root access

And to emphasize the security aspects of these tasks: you need skill in writing programs as well as how to protect them so access is secure. You can hire a consultant to write the program(s) for you. Be sure that the consultant has the necessary skills for both security as well as programming. And make sure the program logs every activity.

Or you use sudo. It is a severe security and stability risk to 'work around' security without sudo. I say stability because an improperly written tool may allow a user to accidentally remove every file in your computer with one command (as root). sudo is mandatory for distributed sysadmin privileges.


Bill Hassell, sysadmin
0 Kudos
Reply
DavidJ
Regular Advisor

‎05-27-2007 07:01 PM

‎05-27-2007 07:01 PM

Re: Doing root tasks without root access

Hi,

I am using a package that allows one to do exactly what you are asking for. Not only does it do that but it can be customised for your needs and environment quite easily and is quite easy to maintain. It also logs everything that it does, who issued what command etc.

If you are interested in this email me at djason at mhg dot co dot za and I will put you in touch with this company.
Everyday I beat my own previous record for number of consecutive days I've stayed alive.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.