HPE Community
Operating System - HP-UX
1834651 Members
2487 Online
110069 Solutions
New Discussion

Re: modprpw -k username

 
SOLVED
Go to solution
Nick D'Angelo
Super Advisor

‎05-02-2006 05:14 AM

‎05-02-2006 05:14 AM

modprpw -k username

HPUX 11i
I have setup sudo, but one user is having problems and receives the msg, Not Superuser when executing the command above.

I have checked /etc/group and /etc/passwd to ensure that he is in the same group.

Any ideas?
Always learning
0 Kudos
Reply
15 REPLIES 15
Christian Tremblay
Trusted Contributor

‎05-02-2006 05:18 AM

‎05-02-2006 05:18 AM

Re: modprpw -k username

From the modprpw man page:

" modprpw updates the user's protected password database settings. This
command is available only to the superuser in a trusted system. "
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎05-02-2006 05:34 AM

‎05-02-2006 05:34 AM

Re: modprpw -k username

What does your sudo configuration look like? Sounds like you didn't get that configured properly.
--
Jeff Traigle
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎05-02-2006 05:35 AM

‎05-02-2006 05:35 AM

Re: modprpw -k username

##
# User alias specification
##
User_Alias FULLTIMERS = nickd, mikef, dowdy
User_Alias PARTTIMERS = tsaunder, dstart, cdouza, cknapp, langlcx, jwhite
##
# Host alias specification
##
Host_Alias HPPA = istatux
##
# Cmnd alias specification
##
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn, /usr/lbin, /usr/lbin/modprpw
Cmnd_Alias PASSWD = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/chfn, /usr/lbin
Cmnd_Alias CP = /usr/bin/cp
Cmnd_Alias MV = /usr/bin/mv

##
# users permissions
##
tsaunder ALL = VIPW, PRINTING, CP
nathan ALL = PRINTING, CP
smithmx ALL = VIPW, PRINTING, CP
dstark ALL = VIPW, PRINTING, CP
langlcx ALL = VIPW, PRINTING, CP, PASSWD
whitejg ALL = VIPW, PRINTING, CP
Always learning
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-02-2006 06:07 AM

‎05-02-2006 06:07 AM

Re: modprpw -k username

How is the user executing the command? Is he/she doing:

$ sudo /usr/lbin/modprpw -k

If they omit the 'sudo' then you can receive a message exactly like you see.

You should also verify the 'sudo' permissions and ownership. It should be have '--s--x--x' for permissions and the owner and group should both be root.
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎05-02-2006 07:35 AM

‎05-02-2006 07:35 AM

Re: modprpw -k username

When I try and change the user's password, this is what I get.

Cannot access protected password entry

The other members of IT Support are able to /usr/bin/modprpw -k username so I do not believe that it is a syntax problem.

I believe that the /tcb/auth files might be missing something to cmoplete his proper authentication for sudo.

Nickd
Always learning
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-02-2006 07:39 AM

‎05-02-2006 07:39 AM

Re: modprpw -k username

Hmmm...

What does:

# pwck -s

show?

Does this user have the appropriate file in /tcb/files/auth//

Where the is the first letter of the users username and is the username. For example for root the file is /tcb/files/auth/r/root.

If that file does not exist then the user will definitely have problems.
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎05-02-2006 07:44 AM

‎05-02-2006 07:44 AM

Re: modprpw -k username

The IT user with sudo problems does not have an entry in the protected password database
Always learning
0 Kudos
Reply
Prashant Zanwar_4
Respected Contributor

‎05-02-2006 08:29 AM

‎05-02-2006 08:29 AM

Re: modprpw -k username

I didnt understand problem completly ..

but here is what if you want to reset user password or just reinvoke user

/usr/lbin/modprpw -l -k user
/usr/lbin/modprpw -l -v user

or change user password first and then issue above commands..

Next thing is

/etc/sudoers, whatever access user needs, should be mentioned below this.. like %group will follow what accesses he will have.. make a entry for user..

Prashant









"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-02-2006 11:45 AM

‎05-02-2006 11:45 AM

Re: modprpw -k username

Well, it needs one. I'm not sure how the user was created without its entry in /tcb/files/auth/...., but in order for it to work, it has to be there. The password, and a load of other information, is stored in that file. I would advise deleting and re-creating that particular user either with useradd or through SAM.
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎05-03-2006 08:02 AM

‎05-03-2006 08:02 AM

Re: modprpw -k username

Also be aware that modprpw checks the REAL uid, not the EFFECTIVE uid when doing the test for superuser.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-03-2006 10:33 AM

‎05-03-2006 10:33 AM

Re: modprpw -k username

If the problem user does not have an entry in the protected database, then the user ID is bogus and sudo is correctly denying acces. This often happens when someone edits the passwd file to add or delete a user -- something that will corrupt the passwd/tcb database. Be sure you tell EVERYONE that has vipw capability to never add or delete users with vi or vipw. The Trusted system is different than a simple passwd file.

Delete the bad user and then re-add the user correctly with SAM or useradd.


Bill Hassell, sysadmin
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎05-04-2006 12:49 AM

‎05-04-2006 12:49 AM

Re: modprpw -k username

Bill, I am the only one who adds users and I never vi to add them.

I use useradd as part of a script.

I will delete the user using sam and add it using sam and get back to the forum.

Thanks
Always learning
0 Kudos
Reply
Nick D'Angelo
Super Advisor

‎05-04-2006 12:57 AM

‎05-04-2006 12:57 AM

Re: modprpw -k username

I recreated the user using sam.

I logged on as the user and completed the steps below and no go.

$ cd /usr/lbin
$ ./modprpw -k tsaunder
Not Superuser.

I have attached my sudoers file.

There is an entry in the /tcb/files/auth/l directory for langlcx
Always learning
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-04-2006 01:03 AM

‎05-04-2006 01:03 AM

Solution

Re: modprpw -k username

In order to use 'sudo' you MUST preface the commands you run with sudo. So to run your modprpw you should do:

$ sudo /usr/lbin/modprpw -k

sudo can't do anything unless it is actually executed.
Reply
Nick D'Angelo
Super Advisor

‎05-04-2006 01:07 AM

‎05-04-2006 01:07 AM

Re: modprpw -k username

I feel like such a loser.

Sometimes you can't see the trees for the forest.

If everyone would like full points, please post a reply due to my being a dolt.

Thanks
Always learning
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.