HPE Community
Operating System - HP-UX
1834604 Members
3820 Online
110069 Solutions
New Discussion

Limited root permissions to a non-root account on trusted system

 
Glenn Mitchell_2
Frequent Advisor

‎08-18-2004 06:41 AM

‎08-18-2004 06:41 AM

Limited root permissions to a non-root account on trusted system

How do I allow a non-root user to perform selected root tasks without giving them the ability to su to root - and giving them the root password? The system is HP9000/800 N4000 HPUX 11.11 setup as a Trusted System.
0 Kudos
Reply
10 REPLIES 10
Cheryl Griffin
Honored Contributor

‎08-18-2004 06:43 AM

‎08-18-2004 06:43 AM

Re: Limited root permissions to a non-root account on trusted system

sudo
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

or set up Restricted SAM
"Downtime is a Crime."
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-18-2004 06:44 AM

‎08-18-2004 06:44 AM

Re: Limited root permissions to a non-root account on trusted system



You can use restricted sam.

execute sam -r as root, select the user and enable the selected privileges for the user.

Alternative way would be to install SUDO package. Sudo is available for free from the net.

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎08-18-2004 07:09 AM

‎08-18-2004 07:09 AM

Re: Limited root permissions to a non-root account on trusted system

as the two previous posters said, sudo is the best fit to your needs but as a commercial alternative (better in logging events in a more secure way) is powerbroker. According to my last conversation with them, their licensing starts with a 10 servers for $2000/server + 20% yearly maintenance/upgrades. Very reliable product as I have used it in the past.

But if this is for a casual use, sudo is the better option for the unbeatable price of zero :)
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Glenn Mitchell_2
Frequent Advisor

‎08-18-2004 07:32 AM

‎08-18-2004 07:32 AM

Re: Limited root permissions to a non-root account on trusted system

Thank you for your replies. I will have to research the sudo utility.

The non-root user needs root permissions to give a database application utility permissions to kill select DB processes and gracefully remove the records from the database. Using the DB's utility (as non-root user) will show the pid but the utility refuses to delete it without root permission.

I can not use the restricted sam Process Contol to kill the selected process (outside the database) because the rest of the DB's cleanup functions will not happen and the database might become corrupt.

Would sudo help me address this problem?

Thank you for your help.
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-18-2004 08:31 AM

‎08-18-2004 08:31 AM

Re: Limited root permissions to a non-root account on trusted system

Yes, with the above requirements, I think sudo is the way to go.

Create a script as root that does that everything u would like the user to be able to do. You can also limit the users ability in this case by filtering the PIDs inside the script.

For accountablity reasons, you can also log the opetaions performed in the script by the users in a file.

Install sudo and allow the user(s) permission to execute this script as root.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎08-19-2004 03:37 AM

‎08-19-2004 03:37 AM

Re: Limited root permissions to a non-root account on trusted system

One thing I'd add to the last post: if you're going to write a script to do a privileged function on behalf of a non-privileged user, I'd only use that as an administrative barrier unless you thoroughly analyze that code for unintended side-effects that a user could exploit to gain root. Shell script has inherent issues like escape characters, and ENV variables that change commands' behavor. These are in addition to the side-effect potential of any elevated privilege program. Short version: I'd be careful.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Brian Markus
Valued Contributor

‎08-19-2004 05:36 PM

‎08-19-2004 05:36 PM

Re: Limited root permissions to a non-root account on trusted system

I use both sudo and restricted sam. Sudo is really easy.
Here is a link to the depot file.
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

Gunzip the file then use swinstall -s /tmp/filename.depot to install it.

Here is a sample config:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification

# User alias specification
#Operators
User_Alias OPERATOR =user1, user2

# Cmnd alias specification

#Commands Operators are allowed to run as root
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias RM = /usr/bin/rm
Cmnd_Alias PGP = /opt/pgp/pgp

# Defaults specification
Defaults syslog=auth

# User privilege specification
root ALL=(ALL) ALL

OPERATOR ALL =KILL,PGP

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now





Hope this helps.

-Brian.
When a sys-admin say's maybe, they don't mean 'yes'!
0 Kudos
Reply
Glenn Mitchell_2
Frequent Advisor

‎08-20-2004 08:27 AM

‎08-20-2004 08:27 AM

Re: Limited root permissions to a non-root account on trusted system

Thank you for your replies.

I have downloaded the latest sudo software with associated docs and will be installing it on our development server Monday for evaluation prior to use on our validated production server (nothing is ever easy here). Thank you also for the sample config file â that will help a lo
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-20-2004 08:37 AM

‎08-20-2004 08:37 AM

Re: Limited root permissions to a non-root account on trusted system

Here is an entry I believe is important in the sudoers file as well.

%grpname !/usr/bin/su *root*,!/usr/bin/su "", !/usr/bin/su -l,!/usr/bin/su -

I include this entry because I used to have users getting root access to systems and they did not have root passwd - I didn't know how they were doing it. I discovered that they had root access on 1 system. From this 1 system they would do an rlogin to a trusted system. The rlogin would take them to the other system as root! (Not Good)

This entry will prevent the users in the %grpname from becoming root but you can have cmd_aliases that specify the command they are suppose to work with.
0 Kudos
Reply
Brian Markus
Valued Contributor

‎08-25-2004 03:34 AM

‎08-25-2004 03:34 AM

Re: Limited root permissions to a non-root account on trusted system

Sudo should work very well for you. I see that you haven't assigned any points to your posts. Assigning points is enough for most of us. :)

Good luck.

-B
When a sys-admin say's maybe, they don't mean 'yes'!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.