HPE Community
Operating System - HP-UX
1827279 Members
2593 Online
109717 Solutions
New Discussion

Duplicate root user

 
SOLVED
Go to solution
Zulkarnain Bin Salim
Advisor

‎07-27-2005 05:43 PM

‎07-27-2005 05:43 PM

Duplicate root user

Hi,

How can i duplicate a root user and also all the authentication, permission, kernel config.

Any advise. Since i never do this before.

TQ

Rgrds,
Zuls
0 Kudos
Reply
23 REPLIES 23
mirco_1
Valued Contributor

‎07-27-2005 05:51 PM

‎07-27-2005 05:51 PM

Re: Duplicate root user

hi,

create new entry (new user) in /etc/passwd with id 0.
example :

pippo:*:0:3::/:/sbin/sh

DM.
0 Kudos
Reply
Mahesh Kumar Malik
Honored Contributor

‎07-27-2005 05:55 PM

‎07-27-2005 05:55 PM

Re: Duplicate root user

Hi Zuls

Create a new user with name other than root and set uid to 0. This user will have same previlages as of root

Regards
Mahesh
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎07-27-2005 06:15 PM

‎07-27-2005 06:15 PM

Re: Duplicate root user

The user name 'root' does not matter.
What gives the user root his privileges is his UID 0.

So you can create a new user with any name and give him the UID 0 to grant all 'root' priviliges.

BUT: You should NOT do this. Best practices for Unix systems is always to have only 1 user with the UID 0.

If you need to grant all (or some) root priviliges to another user you should think about using the sudo tool.

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎07-27-2005 11:40 PM

‎07-27-2005 11:40 PM

Re: Duplicate root user

Solution is given that uid has to be like root's one as 0. It is not recommeded to make like that. Global permission has to be given to a unique person called root in *NIX ;)

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎07-27-2005 11:50 PM

‎07-27-2005 11:50 PM

Re: Duplicate root user

Muthukumar brings up a point related to WHY do you want to do this.

You can have the multiple users with uid 0, but it raises some security concerns.

Another way is to allow certain people root access.

Yet another way is to allow certain people to run certain commands via "sudo" as root.

Or even set up sudo so that users can become root but their becoming root is logged to syslog.

See here for details:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=728865

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Zulkarnain Bin Salim
Advisor

‎07-28-2005 12:07 AM

‎07-28-2005 12:07 AM

Re: Duplicate root user

Hi Kent and all the guru,

I do glance through the article about the sudo, but honestly i blur how actually it works. And how can i implement it.

Since the user like to have second user as root for the disaster recovery plan.

Please help.

TQ.

Rgrds,
Zuls
0 Kudos
Reply
MarkSyder
Honored Contributor

‎07-28-2005 12:24 AM

‎07-28-2005 12:24 AM

Re: Duplicate root user

I really think a second root user for disaster recovery is overkill.

What's wrong with:

1. booting into single user mode to reset the root password if it is lost; or

2. using an ignite backup.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
Zulkarnain Bin Salim
Advisor

‎07-28-2005 01:09 AM

‎07-28-2005 01:09 AM

Re: Duplicate root user

Hi Marks and all the gurus,

It corrects but this user will be use only on the emergency incidents purpose since this server quite difficult to restart.

I think i will be implement the UID=0 for the emergency issue. Like, login with the new user than run passwd root change it back and then, login back to as root.

It is better solutions.

Rgrds,
Zuls
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-28-2005 01:16 AM

‎07-28-2005 01:16 AM

Re: Duplicate root user

I disagree 110%. Another UID 0 user is a BAD BAD BAD idea and a BIG BIG BIG Security risk.

Several problems I can think of:

1) What is you forget the password to the other UID 0 user? It does you no good then.

2) If this is a trusted system, what if you don't use the user and it gets locked out because of inactivity? Again it does you no good.

3) It's a BIG security hole. If someone gets into your system and discovers the password for the duplicate UID 0 user, then they now have FULL access to your system.

4) You say it will only be used in DR situations. Yeah right! If the ID is there it will get used.

I strongly advise AGAINST another UID 0 user.

You should go back and look at sudo. It is a much much better solution.

If sudo is set up correctly, you can do anything with it that you can with root. If the root ID is locked out, you can do something like 'sudo su -' to log in as root so the problem can be fixed.

0 Kudos
Reply
Geoff Wild
Honored Contributor

‎07-28-2005 01:24 AM

‎07-28-2005 01:24 AM

Re: Duplicate root user

Yes you can do this - by creating another userid with uid=0

I have done this in the past - when I worked in a place with 2 other admins - who were less then capable - so to protect my back side - I created a rootg account - that way, anything done as root was audited as well as what I did - as rootg.

For DRP - sure - that would work - but remember - just because you make say an id called: rootdr

That will not prevent them from doing:

su -

without a password - so, in effect - they are root with out the root password....

If it's for dr only, why not lock up the root password in a vault - then when a dr strike - or a dr test - have that person follow your dr book and get the root password.

Either way is fine...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
MarkSyder
Honored Contributor

‎07-28-2005 01:30 AM

‎07-28-2005 01:30 AM

Re: Duplicate root user

You say a second UID of 0 is the best solution because the server is difficult to start.

Can you explain to us why it's difficult to start?

Mark
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-28-2005 01:44 AM

‎07-28-2005 01:44 AM

Re: Duplicate root user

Having more than one UID 0 login is not a Disaster Recovery Plan; it's simply a Disaster that hasn't happened yet.
If it ain't broke, I can fix that.
0 Kudos
Reply
DCE
Honored Contributor

‎07-28-2005 02:01 AM

‎07-28-2005 02:01 AM

Re: Duplicate root user

As others have pointed out this is a BIG security risk. If this system is ever audited, it will be classified a severe security violation.

Unix file ownership is not based on id, rather UID. By giving another user a duplicate UID, you are blurring who owns what, and eliminating the capability to trace who has done what.

sudo is an easy solution to your problem, and it actually quite easy to implement. And if you have problems with it, there are plenty of people in this forum who would be willing to answer your questions.

Finally, if this is for DR purposes, then it is not necessary. In a DR you will be recovering from tape to a new system. By definition you know the root password on the system you are installing to. If there is an issue with the password boot into single user mode and change the password.
0 Kudos
Reply
Zulkarnain Bin Salim
Advisor

‎07-28-2005 02:31 AM

‎07-28-2005 02:31 AM

Re: Duplicate root user

Hi Gurus,

Advance thanks for your replies. I really appreciate it.

I will follow your suggestion not to have second UID=0 since it will kill me and my repo outside the IT world.

Anyway, will you all give me some advise how can i start to implement the sudo exercise, i.e where to download, and setup guide.....

Please advice. & TQ

Rgrds, Zuls
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎07-28-2005 02:31 AM

‎07-28-2005 02:31 AM

Re: Duplicate root user

I'll jump on this too.

If you're setting your "other" root user up just in case you can't get into your main root user then that's very very bad.

This would imply that you are rarely if ever going to use the "other" root user, which also implies that you will have to set it up with a password that never expires. This gives any potential hackers all the time in the world to compromise the password.

It's been said so many times, but once more won't harm and hopefully you will realise - DON'T DO IT!

It really isn't that difficult to setup sudo.
0 Kudos
Reply
Zulkarnain Bin Salim
Advisor

‎07-28-2005 02:35 AM

‎07-28-2005 02:35 AM

Re: Duplicate root user

Simon and all the gurus,

Please advice me, at least some guide
how to download and guide to installation and setup .... I'm new to this unix world

Advance thanks all gurus.

Rgrds, Zuls
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-28-2005 03:04 AM

‎07-28-2005 03:04 AM

Solution

Re: Duplicate root user

SUDO Home page:

http://www.gratisoft.us/sudo/

HP-UX versions of sudo:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p7/

Reply
Carles Viaplana
Valued Contributor

‎07-28-2005 03:05 AM

‎07-28-2005 03:05 AM

Re: Duplicate root user

Hi Zuls,

An option could be create a normal user and grant rights to switch to root user.

Regards,

Carles

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-28-2005 07:33 AM

‎07-28-2005 07:33 AM

Re: Duplicate root user

And just so you know: the first place a hacker sets up shop is to change an ordinary user into UID=0. The user may not even know that this has happened. If you create multiple UID=0 users, it eill be difficult to detect hackers. Look at the output from:

logins -d


Bill Hassell, sysadmin
0 Kudos
Reply
KRS_1
Frequent Advisor

‎07-28-2005 08:10 AM

‎07-28-2005 08:10 AM

Re: Duplicate root user

It's not a good practice having another uid 0

Thanks
0 Kudos
Reply
Zulkarnain Bin Salim
Advisor

‎09-05-2006 04:50 AM

‎09-05-2006 04:50 AM

Re: Duplicate root user

Hi All Gurus,

Thanks for the idea, and the suggestion.

At last, i using the sudo concepts for the implementation. and solve most of the problem.

Using the concepts of the second id with UID=0 is having a problem on the implementation ways .. sometimes not relevant wiht the integration of the apps or db level.

How can i give a points to all my guru that already guide me. Please advice me a stip to do it.

Lastly thanks

Rgrds,
Zuls
0 Kudos
Reply
Sp4admin
Trusted Contributor

‎09-05-2006 05:26 AM

‎09-05-2006 05:26 AM

Re: Duplicate root user

Hi Zuls,

All you have to do is assign that user "0" for the uid number. However this is not a good idea. No one besides root should have "0" as the uid #.

sp,
0 Kudos
Reply
Sean Dale
Trusted Contributor

‎09-05-2006 05:36 AM

‎09-05-2006 05:36 AM

Re: Duplicate root user

I agree with the others, a 2nd root account is overkill and a security risk. With sudo you can control who has access and who doesn't. Plus, sudo logs activity. You can add users to the sudousers list as needed (or remove them as needed) without affecting the root account.
Live life everyday
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.