Operating System - HP-UX
1831518 Members
3425 Online
110025 Solutions
New Discussion

Re: how to change root password by non-root user

 
SOLVED
Go to solution
Co van Berkel
Regular Advisor

how to change root password by non-root user

Hi,
We use HP-UX 11.11 (11i v1) on two rp4440-8 server and HP-UX 11.00 on three L2000 servers.
Now need a non-root user who can only change the password of user root.
We also use eTrust Acces Control on the unix servers. v5.1 SP2 on the L2000 en v5.3 on the rp4440-8 servers.

On the L2000 servers I can change the password of root by defining a "sesudo" command and give the non-root user the proper autorisation.
This works fine.

On the rp4440-8 servers (HP-UX 11.11) I defined all the same but It don't work.

When I look into a trace of eTrust there is no error message what gives me the idea that on OS level this action is blocked.
When I enter on a console using a non-root user "passwd root" then no problem but from a non-console I get the message "You are not allowed to change root's password".

HELP

Regard,
Co
7 REPLIES 7
RAC_1
Honored Contributor

Re: how to change root password by non-root user

Does /etc/securetty exists?? Anything in that file??
There is no substitute to HARDWORK
Co van Berkel
Regular Advisor

Re: how to change root password by non-root user

Hi RAC,
Thanks for the quick response.
Yes, the file exists:
"console"
Is there something chenaged sinds HP-UX 11.0?
RgRds Co
Geoff Wild
Honored Contributor
Solution

Re: how to change root password by non-root user

Scary stuff here - allowing a non-root user to change root's password....

I don't know eTrust - best bet would be to submit a call to them.


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
RAC_1
Honored Contributor

Re: how to change root password by non-root user

That explains. console entry in /etc/securetty means root login can happen only on console and not through any other terminal. So you won't be able to change on other terminal.

Anil
There is no substitute to HARDWORK
Co van Berkel
Regular Advisor

Re: how to change root password by non-root user

Hi,
If I recall the file "/etc/securetty" blocks the login of "root" on a non-console.
This is oke.
But on HP-UX 11.0 a special user wich can only change the password of root can login using telnet.
On HP-UX 11.11 this don't work?

CA-eTrust is a security application used to restict on OS, file and user level per user and / or group. CA-eTrust does allow to change password of root becose I autorised a non-root user to do but CA-eTrust is yust a extra layer over the OS-security layer.

So, the OS-layer stops the change of root password on a non-console, it looks like to me and not CA-eTrust.

RgRds Co
Hoang Chi Cong_1
Honored Contributor

Re: how to change root password by non-root user

Hi Co,

Yep, with eTrust, you can change password all of the user if you have eTrust's admin right even stop root user when try to connect to your system...
I have never done with rp4440 but I have tried with rp5470, it works....

Without eTrust, you can not change the root password unless you are root user or any user that define in root group!

Regard,
Hoang Chi Cong
Looking for a special chance.......
Co van Berkel
Regular Advisor

Re: how to change root password by non-root user

Hi,
Afterall we did get a fix from CA for ca-etrust v5.3 and now all works as we want it to work.
They changed the procedure in v5.3 for an other customer!

CA created a new token "RootPwAsOwn" and now we have a choice to allow a non-root to change the password of root.

Regards CvB.