HPE Community
Operating System - HP-UX
1829762 Members
8586 Online
109992 Solutions
New Discussion

Modifying root's .profile - side effects

 
SOLVED
Go to solution
Joseph P. Smith
Regular Advisor

‎05-13-2008 06:02 AM

‎05-13-2008 06:02 AM

Modifying root's .profile - side effects

Good Morning,

The following lines have been added to root's .profile

. /usr/local/bin/lawprod.env
export TERM=univwin
export PATH=$PATH:/usr/sbin
. cv LSF9

These have effected
1. Terminal settings
- vi and other terminal dependent utilities either fail (e.g. scrolling past the bottom of the file only results in last line writing over last line) rather than scrolling
- "sam", "swinstall", etc report bad terminal setting, but ask if proper settings should be created. They are still break :-(.
2. $PATH variable sequence
- application-specific elements preceding the usual "standard" elements
Unmodified:
/usr/sbin:/usr/bin:/usr/ccs/bin:{...}
versus
Modified:
-/LSF9/gen/cgi-bin:/LSF9/gen/bin: {...}
then n elments later
/usr/sbin:/usr/bin:/usr/ccs/bin:{...} with spaces and tabs also

Therefore, a command that executed would execute a same-named script/program in a directory before the system standard directory/command. (I know you know that, but needed to put that in to document effects for others)

A request to remove said lines was rejected, and my offer to create aliases in root to execute these commands as needed was likewise rejected. Also rejected was a test for interactivity, and queries to execute said aliases.

My managers have asked me to verfiy that modifying root's .profile in this manner is/is not a good practice.

A search on ".profile" and "modifying root's .profile" have only found a thread on operator .profile that suggest that this is not a valid practice.

Plans to implement powerbroker are in the works, but this is effecting things now.

Thank-you for any helpful comments. ,,, Joe S.
0 Kudos
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

‎05-13-2008 06:11 AM

‎05-13-2008 06:11 AM

Solution

Re: Modifying root's .profile - side effects

Hi Joseph:

> vi and other terminal dependent utilities either fail ...

Seems like your system is badly crippled.

> Therefore, a command that executed would execute a same-named script/program in a directory before the system standard directory/command. (I know you know that, but needed to put that in to document effects for others)

You have set yourself up for a hugh security breach, since no doubt, the non-system directories are not under your control.

> A request to remove said lines was rejected, and my offer to create aliases in root to execute these commands as needed was likewise rejected. Also rejected was a test for interactivity, and queries to execute said aliases.

Who's the professional administrator here? Obviously you are cognizant of good practices and your managers are not.

> My managers have asked me to verfiy that modifying root's .profile in this manner is/is not a good practice.

Ask them for what they pay you.

Regards!

...JRF...
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎05-13-2008 06:14 AM

‎05-13-2008 06:14 AM

Re: Modifying root's .profile - side effects

Hi (again) Joseph:

I should hasten to add that 'root' should be _reserved_ for pure server administration, _not_ as an application-level account!

Leave root's '.profile' alone. Provide a standalone script that can be sourced (read) or executed on an ad hoc basis if/only_when necessary.

Regards!

...JRF...
0 Kudos
Joseph P. Smith
Regular Advisor

‎05-13-2008 06:23 AM

‎05-13-2008 06:23 AM

Re: Modifying root's .profile - side effects

James,
Understood completely. I will "edit for readability and career opportunities" your comments ;-).

Any corroborating statements are welcome with points awarded for pungency and wit. Outright flames are discouraged however. ,,, Joe S.

0 Kudos
OldSchool
Honored Contributor

‎05-13-2008 07:59 AM

‎05-13-2008 07:59 AM

Re: Modifying root's .profile - side effects

a) "root" account is system administration only. The fact that *somebody* was able to modify it indicates a security lapse somewhere.
b) application should never run as "root" so they shouldn't be touching this
c) auditors are gonna have a field day if they find this. Think Sarbanes-Oxley... Payment Card Industry stds if applicable.
d) with those terminal settings, you'll have issues with the system utilities...which is gonna be real helpful when things really do wrong.

if such changes were made here, the person making them would be reprimanded...and maybe searching for other employment
0 Kudos
Joseph P. Smith
Regular Advisor

‎05-13-2008 08:07 AM

‎05-13-2008 08:07 AM

Re: Modifying root's .profile - side effects

James & "Old School"

I will close the thread.

Thank-you both for validating my understanding of root's "sanctity". I hope to impress upon those who need to understand this message the responses you have written.

As a newbie to the HP-UX side of ITRC (and still a Tru64 lurker/questioner) I am impressed. ,,, Joe S.
0 Kudos
Pete Randall
Outstanding Contributor

‎05-13-2008 08:34 AM

‎05-13-2008 08:34 AM

Re: Modifying root's .profile - side effects

Joe,

I'm sure that it's just an oversight on your part that James' carefully constructed and well thought out comments received no points, since you did remember to reward Old School. It would be nice if you could remedy that.


Pete


Pete
0 Kudos
Joseph P. Smith
Regular Advisor

‎05-13-2008 08:43 AM

‎05-13-2008 08:43 AM

Re: Modifying root's .profile - side effects

Good gosh! I'm sorry - well deserved points added Thank-you.

I'll offer these well-considered answers to comments I've made outside this forum to those concerned.

Thanks again. ,,, Joe S.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.