HPE Community
Operating System - HP-UX
1844264 Members
2823 Online
110230 Solutions
New Discussion

Re: restrict root access

 
Kgreen
Advisor

‎09-27-2006 11:58 AM

‎09-27-2006 11:58 AM

restrict root access

Hi I haveabout 50 servers of hp-ux that are set up new. right now I have to share the root password with many people. Now I have taken 10 servers created a passwd file over to restrict access on these 10 servers. How can I restrict people from giving the root login and password. what is the way and solutions that i have a user with ksh shell and he gains access to root without knowing the root password
0 Kudos
Reply
10 REPLIES 10
IT_2007
Honored Contributor

‎09-27-2006 12:50 PM

‎09-27-2006 12:50 PM

Re: restrict root access

Check this Sudo software from HP.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

With this you don't have to give root password but you can restrict users to certain commands.

Also You can consider Power Broker which is very useful and need to purchase.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-27-2006 02:20 PM

‎09-27-2006 02:20 PM

Re: restrict root access

The simplest way to restrict access to root is to change the password and not give it out anymore. The only root users are ones that are trained and responsible for the systems (not DBAs...). To further restrict (and log) root access, don't allow remote root logins by doing this:

echo "console" > /etc/securetty

Now, direct login as root requires the user to be at the physical console. All other users must use su - or sudo. The reason that sudo is so important is that it can restrict users to certain commands. If you don't restrict that commands that casual operators can issue, your system will quite unsecure and also unstable. Download sudo for free from software.hp.com


Bill Hassell, sysadmin
0 Kudos
Reply
Kgreen
Advisor

‎09-28-2006 01:31 AM

‎09-28-2006 01:31 AM

Re: restrict root access

is the sudo tool free from HP
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-28-2006 01:34 AM

‎09-28-2006 01:34 AM

Re: restrict root access

Not from HP but it is freely available from the porting center:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/


Pete

Pete
0 Kudos
Reply
Peter Godron
Honored Contributor

‎09-28-2006 01:34 AM

‎09-28-2006 01:34 AM

Re: restrict root access

Hi,
one version is available (for free) from here:
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎09-28-2006 01:41 AM

‎09-28-2006 01:41 AM

Re: restrict root access

You can setup sudo as suggested for those people that require root use.

Another method would be the use os secure shell keys for the users in roots .ssh/authorized_keys file however doing this you lose some of the logging functionality that sudo would provide.

With either of these methods you can provide people root access with them not knowing the root passwd.

Sudo is the easier method to implement.

I would probably go one step further with sudo and only allow them to use the commands they needed. And not give them full access unless there was no alternative. If I don't trust this user with the root passwd then I don't trust them with all root commands, thus I will limit them as much as possible.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-28-2006 08:22 AM

‎09-28-2006 08:22 AM

Re: restrict root access

> is the sudo tool free from HP

Yes it is available from HP. The product can be downloaded from software.hp.com -- note that it has been built for 11i only (11.11 and 11.23). Get a copy from:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123


Bill Hassell, sysadmin
0 Kudos
Reply
D Anderton
Advisor

‎10-02-2006 01:22 AM

‎10-02-2006 01:22 AM

Re: restrict root access

Create a new group in /etc/group and place all the users you want to allow root access in that group. Then set SU_ROOT_GROUP= /etc/default/security file. Use this in addition to /etc/securetty set to console. If the user is not in the su_root_group, the user will not be able to su to root.
0 Kudos
Reply
Kgreen
Advisor

‎10-02-2006 02:10 AM

‎10-02-2006 02:10 AM

Re: restrict root access

good point to do. But still I will have to share the root password with a few users in that group. The purpose here is to keep the root access secure.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-02-2006 08:31 AM

‎10-02-2006 08:31 AM

Re: restrict root access

If you use sudo, no one needs to know the root password. That's the point with sudo. Without sudo, the SU_ROOT_GROUP just collects users that are allowed to use su to root. Outside that group, users cannot su to root, but if the password is known to a user they can always login (not good). A better technique is to use securetty to disallow any direct login to root (except the console). Then users in the SU_ROOT_GROUP can use su.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.