HPE Community
Operating System - HP-UX
1833462 Members
2847 Online
110052 Solutions
New Discussion

Is it possible to create a user that can only add new users?

 
SOLVED
Go to solution
Roderick Derks
Frequent Advisor

‎03-11-2005 04:08 AM

‎03-11-2005 04:08 AM

Is it possible to create a user that can only add new users?

An application on the server needs root rights to add users to the system so that people can work with the application from their workstations.
I'm not to happy with this cause aplication administrators now need the root password. The application uses the root account and just asks the appl admin for the password

Is there a way to create a user that can add new users (not with sudo)? And does not need more rights on the system? The HPUX is converted to a secure system.

Thanks in advance!
0 Kudos
5 REPLIES 5
John Payne_2
Honored Contributor

‎03-11-2005 04:14 AM

‎03-11-2005 04:14 AM

Re: Is it possible to create a user that can only add new users?

You could try using restricted SAM. (sam -r) With restricted SAM, you select a user to have certain portions of SAM. After you set it up, they type "SAM", and when it loads, they only have the sections of SAM you specify.

FYI, SAM also allows you to add custom applications to it's list, so if they needed "1 other thing", you could add that to restricted SAM, and they can run those things with root privledge without having other access...

Hope it helps

John
Spoon!!!!
0 Kudos
Victor BERRIDGE
Honored Contributor

‎03-11-2005 04:17 AM

‎03-11-2005 04:17 AM

Solution

Re: Is it possible to create a user that can only add new users?

Hi Roderick,
The only way I see for a user being able to create users without sudo, su etc.. is configuring the suer to use a restricted sam, with only the right to create users...

Type as root sam -r and give your user just that right


All the best
Victor
0 Kudos
Roderick Derks
Frequent Advisor

‎03-13-2005 08:04 PM

‎03-13-2005 08:04 PM

Re: Is it possible to create a user that can only add new users?

Restricted SAM is a good idea. The thing is that the application is switching to root, then uses the useradd command, and then switches back to the regular user that is used to run the app.

What I want is the application to switch to another user that has restricted rights.
Probably only rw rights on some files. And the useradd command.

Is this possible? Also on a converted HP system?
0 Kudos
Victor BERRIDGE
Honored Contributor

‎03-13-2005 08:35 PM

‎03-13-2005 08:35 PM

Re: Is it possible to create a user that can only add new users?

Hi,
Have you an idea how the application switches to root?
The only way I can see is using sudo, and writing aliases for all the calls the application makes to in order to "spoof" the calls forcing the use of sudo

All the best
Victor
0 Kudos
Roderick Derks
Frequent Advisor

‎03-21-2005 03:23 AM

‎03-21-2005 03:23 AM

Re: Is it possible to create a user that can only add new users?

The application uses telnet from a client to the server. This made me very unhappy. I'm discussing the solution with the supplier of the software. It's probably going to to be restricted sam.

Thanks for the input y'all!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.