HPE Community
Operating System - HP-UX
1850405 Members
2615 Online
104054 Solutions
New Discussion

Re: psuedo root logon

 
SOLVED
Go to solution
Mike Tufariello
Frequent Advisor

‎06-29-2006 02:30 AM

‎06-29-2006 02:30 AM

psuedo root logon

I had heard from my CE that if I have multiple users who need root access, that as system administrator I could limit the "abilities" of other root users through something called pseudo root. I have checked all man pages and search engines and can not find anything about this.

Can anyone offer some thoughts?

Thanks,
0 Kudos
9 REPLIES 9
Pete Randall
Outstanding Contributor

‎06-29-2006 02:36 AM

‎06-29-2006 02:36 AM

Re: psuedo root logon

It's actually a software package called sudo:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p12/


Pete

Pete
0 Kudos
Arunvijai_4
Honored Contributor

‎06-29-2006 02:39 AM

‎06-29-2006 02:39 AM

Re: psuedo root logon

Hi Mike,

Are you taking about "Sudo" ? It is part of HP-Internet which can be downloaded from

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

Also, check out this http://www.courtesan.com/sudo/man/sudo.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Rick Garland
Honored Contributor

‎06-29-2006 02:41 AM

‎06-29-2006 02:41 AM

Re: psuedo root logon

sudo is what is probably being referred to.

Allows the configuration of users to have superuser access to a specified set of commands. You specify these commands in your configuration.
0 Kudos
Victor BERRIDGE
Honored Contributor

‎06-29-2006 02:52 AM

‎06-29-2006 02:52 AM

Re: psuedo root logon

Yes,
There are (not so) many programs for that, sudo , su2, super...
sudo is the best known and used in this group, so I would opt for sudo, like that we could help you in ideas of configuration...

The idea of the product is to allow a su as root for a - or a list of commands....

Now depending what you want to do, perhaps a restricted SAM suffice
This is sam -r option


All the best
Victor
0 Kudos
Mike Tufariello
Frequent Advisor

‎06-29-2006 03:05 AM

‎06-29-2006 03:05 AM

Re: psuedo root logon

Thanks to all.

Hi again Victor.
I have limited some users using the SAM -r. But I have a few "power" users who are command line users. I want to prevent them from ching files that I, as administrator, have created. That's really the bottom line. They need to run copies, renames, etc. But I really want to protect directories and files within the directories from change.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎06-29-2006 03:15 AM

‎06-29-2006 03:15 AM

Re: psuedo root logon

Hi Mike:

If you set the "sticky" bit on a directory, then only the owner of a file (or root, of course) in the directory can remove it. To set the sticky bit, do:

# chmod 1777 /path

Does this help?

Regards!

...JRF...
0 Kudos
Victor BERRIDGE
Honored Contributor

‎06-29-2006 03:15 AM

‎06-29-2006 03:15 AM

Re: psuedo root logon

Well Mike,
Im not sure I follow you here...
Should I understand You want in a given directory only you can modify the content?

First your users if you grant sudo functionality should not chmod as root...

I understand a correct and well thought configuration of group option and priviledge can do the trick
You may need to explain a bit more...


All the best
Victor
0 Kudos
Bill Hassell
Honored Contributor

‎06-29-2006 01:11 PM

‎06-29-2006 01:11 PM

Solution

Re: psuedo root logon

The problem is that sudo can restrict specific users to a set of commands, but there is no way to document what files are OK and what files are not to be changed. Note that rm is not the only destructive command. cp can destroy a file (the destination) and so can mv. It sounds like you have some social problems that need to be resolved. sudo can give users a group commands (and disallow all others), but giving root privileges away is always a big risk. If you allow sudo to run vi, then you've given the whole shop away as destruction is easy to accomplish with no audit trail.


Bill Hassell, sysadmin
0 Kudos
Mike Tufariello
Frequent Advisor

‎07-21-2006 03:26 AM

‎07-21-2006 03:26 AM

Re: psuedo root logon

Thanks to all.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.