HPE Community
Operating System - HP-UX
1823921 Members
3074 Online
109667 Solutions
New Discussion юеВ

Duplicate root account.

 
SOLVED
Go to solution
bullz
Super Advisor

тАО03-18-2010 08:45 AM

тАО03-18-2010 08:45 AM

Duplicate root account.

Hello Guruz,

I want to create a duplicate root account, but ter is a restriction for duplication of uid 0

Then I thought of installing sudo, but that option also not accepted.

Just would like to know if any can advise, how can I get the root access for normal account.

Note: points will be equally shared :)
0 Kudos
Reply
13 REPLIES 13
Patrick Wallek
Honored Contributor

тАО03-18-2010 08:49 AM

тАО03-18-2010 08:49 AM

Solution

Re: Duplicate root account.

It is not advised to have more than one UID 0 account. That is a VERY BIG security hole.

>>Then I thought of installing sudo, but that option also not accepted.

Sudo is the best way to grant normal users root access. Why was it not accepted?

Reply
James R. Ferguson
Acclaimed Contributor

тАО03-18-2010 08:56 AM

тАО03-18-2010 08:56 AM

Re: Duplicate root account.

Hi:

Do *not* create duplicate uid=0 accounts.

You can, and then if you forget (or your successor forgets) and does something (stupid) like this (where user 'bullz' has a uid=0):

/* DO NOT DO THIS !!! */

# find /path -user bullz -exec rm -rf {} +

...then you just *removed* all of 'root's files and directories!

Regards!

...JRF...
Reply
bullz
Super Advisor

тАО03-18-2010 09:03 AM

тАО03-18-2010 09:03 AM

Re: Duplicate root account.

Thanks for you view on this, any other s/w or tool availbe just like SUDO? i want this kind of setup on HP-UX / Linux and Solaris servers too :)

waiting for good news.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО03-18-2010 09:26 AM

тАО03-18-2010 09:26 AM

Re: Duplicate root account.

Check the official sudo site:

http://www.gratisoft.us/sudo/intro.html

for installation requirements and supported environments.


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО03-18-2010 09:36 AM

тАО03-18-2010 09:36 AM

Re: Duplicate root account.

I suppose I could have just told you that its available for AIX, RedHat Linux, IRIX and Solaris but you really ought to try this new thing called Google. Quite handy.


Pete

Pete
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-18-2010 09:49 AM

тАО03-18-2010 09:49 AM

Re: Duplicate root account.

Shalom,

A few views:

Now, Dana Corp. Only security department has the root password, no duplicate root accounts are permitted. We use etrust/seos to elevate the admin users to root privileges but what they can do is limited.

Previous job, NDS Jerusalem. They chose to go the duplicate uid=0 root. The primary reason was to know who did what. I was rootp(prottever) rootv was my boss Victor, etc etc.

Is it really a security hole to have multiple uid=0 accounts? Classical response which you already have is yes. But it was manageable since only qualified systems administrators had the password. Though password reset involved a meeting.

Prior to that only systems administrator, my backup(a dba eeek!) and operations had root.

I fought operators having root and proposed sudo and was overruled.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

тАО03-18-2010 10:02 AM

тАО03-18-2010 10:02 AM

Re: Duplicate root account.

>>>Thanks for you view on this, any other s/w or tool availbe just like SUDO? i want this kind of setup on HP-UX<<<

"Power broker" software which is similar software like sudo for HP,

Difference between Power broker & Sudo explained in below thread

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=956140

Hope for >> AX, RedHat Linux, IRIX and Solaris<< -> SUDO would best approach, if not better to ask "Google" any third party SW available

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1268935173924+28353475&threadId=1084893
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО03-18-2010 10:22 AM

тАО03-18-2010 10:22 AM

Re: Duplicate root account.

Another option to look at is called 'rootsh'. Works in conjunction with sudo and provides lots of logging. Can find on the net, there are HPUX binaries available as well.

Can give you the best of both worlds. The logging of sudo to see who invoke a rootsh plus the logging of rootsh to provide you with the data you want plus the capabilities of a UID=0 user without duplicating.
Reply
Rick Garland
Honored Contributor

тАО03-18-2010 10:31 AM

тАО03-18-2010 10:31 AM

Re: Duplicate root account.

And BTW, rootsh will work on AIX, Solaris, Linux, HPUX, etc...
Reply
Tingli
Esteemed Contributor

тАО03-18-2010 10:42 AM

тАО03-18-2010 10:42 AM

Re: Duplicate root account.

Take a look at man sudoers, there might be something to help you.
Reply
Raj D.
Honored Contributor

тАО03-18-2010 11:33 AM

тАО03-18-2010 11:33 AM

Re: Duplicate root account.

Bullz,

Yes, you can create duplicate root id, with -o option with useradd command.
#useradd -u 0 -o ..... -m /home/root1 root1

http://docs.hp.com/en/B2355-60105/useradd.1M.html



However it is wise to use sudo , and that way system will be secure and access can be delegated properly.

There is another good software available ($$) for access control is powerbroker and can be used for wide range of unix systems including linux:

http://www.beyondtrust.com/products/pbreviews.asp

HTH,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО03-18-2010 08:34 PM

тАО03-18-2010 08:34 PM

Re: Duplicate root account.

If you don't want sudo, there is HP's RBAC:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl
0 Kudos
Reply
bullz
Super Advisor

тАО03-19-2010 02:30 AM

тАО03-19-2010 02:30 AM

Re: Duplicate root account.

Folks,

I really appreciate the replies which you all sent.
Still points need to be assigned for ROOTSH posts. I do that shortly.

Major challenge here is, can I get a root access ( eventually I should login as root ) for normal user without below options.

├в ┬в There shouldn├в t be any duplicate UID of 0 (zero)
├в ┬в SUDO also strictly restricted for some reason

I got an advice to install ROOTSH, but my question here is, will it work without SUDO?
Also, will it work on Linux, and solaris too?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.