HPE Community
Operating System - HP-UX
1836598 Members
1907 Online
110102 Solutions
New Discussion

questions about root access

 
Chris Fadrowski
Super Advisor

‎06-15-2006 06:11 AM

‎06-15-2006 06:11 AM

questions about root access

1. Is there a command that i can use to see what users have root access?

2. i would like to create a username with root access. is this possible or are there still some restrictions that will require the user to su to root?

thank you in advance.
0 Kudos
Reply
6 REPLIES 6
Geoff Wild
Honored Contributor

‎06-15-2006 06:21 AM

‎06-15-2006 06:21 AM

Re: questions about root access

1. Depends - are you talking native OS or 3rd party application?

You can check /var/adm/sulog and /var/adm/syslog/syslog.log to see who switches to whom.

Basically, anyone who has the root password can become root.

2. Not a good idea - strongly (no strenuously) object to that. Better to use sudo. That said, you can do this by creating users with the same uid as root: 0

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎06-15-2006 06:23 AM

‎06-15-2006 06:23 AM

Re: questions about root access

1) How do you define root access? You can set users up to have access to certain groups (bin, sys, etc) so they can run commands. You can also set users up in something like 'sudo' so they can run commands as root. BUT unless you have set up multiple users and assigned them a UID of '0', then normal users do not have "root" access.

2) You **COULD** set up a user, and then modify that user so that the UID in /etc/passwd (and the /tcb/files/auth/?/username file) is 0. This will create a user that is the same as root. However, this is a VERY VERY VERY BAD idea. Under no circumstances would I ever recommend doing this.

A better idea would be to install and set up something like 'sudo'. sudo allows you to set up users and allow them to run commands as root.

For information on sudo have a look at:

http://www.gratisoft.us/sudo/
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎06-15-2006 06:23 AM

‎06-15-2006 06:23 AM

Re: questions about root access

Chris, if you check you /etc/passwd file, all of the users listed there that have a user ID of 0 will have root access.

And when creating that new user if you wanted to have root access the only thing you do is specify that you want that user to have user ID 0 and it will have root privileges.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
DCE
Honored Contributor

‎06-15-2006 06:24 AM

‎06-15-2006 06:24 AM

Re: questions about root access

1. Just look in /etc/passwd. Any user who has a UID of zero has full root access

2. It is NOT a good idea to usernames full root access. If you do, you will have no audit trail. The system tracks commands by uid, not username. So if a command is issued you have no way to track it.

An ID other than root with root privledges (uid 0) will be a big negative mark if your system is ever audited for security.

By using su or sudo, you at least know who switched to root and what time they did, so you can tie any problems/issues that occur in that time frame back to them.
0 Kudos
Reply
Kenan Erdey
Honored Contributor

‎06-15-2006 06:25 AM

‎06-15-2006 06:25 AM

Re: questions about root access

hi;

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1030858
Computers have lots of memory but no imagination
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎06-15-2006 06:27 AM

‎06-15-2006 06:27 AM

Re: questions about root access

Hi Chris:

1. Is there a command...to see what users have root access? Well, those who know the root password! Beyound that, you can consult '/var/adm/sulog' to see users who logged in as themselves and 'su'ed to root.

You should also look at the features of '/etc/default/security'. See the manpages for 'security(4)', in particular the 'SU_ROOT_GROUP' option.

You might want to create an '/etc/securetty' file to limit direct logins to the root account to the console. See the manpages for 'login(1)' for details on how to do this.

2. Do *NOT* setup multiple accounts with a uid=0. While the uid=0 means you have root privilege, consider what would happen if you had an account named 'chris' with a uid=0. While you would have the rights of root, suppose someone did:

# find / -user chris | xargs rm -rf {} \;

...you just annihilated your system!!! Remember, everything is a number to the operating system.

You can use 'sudo', restricted SAM and/or C program wrappers owned by root with their setuid permission set to accomodate special needs.

Regards!

...JRF...


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.