HPE Community
Operating System - HP-UX
1826501 Members
1893 Online
109692 Solutions
New Discussion

Root access

 
MATHE
Occasional Contributor

‎06-16-2004 07:41 PM

‎06-16-2004 07:41 PM

Root access

Hello everybody,

My question is about the security and most particularly the root access to a HP-UX system.

I would like to know if it is possible (and then how) to decide who can become root? Is there a config file like /var/adm/cron.allow, but for the root access.
As a consequence, only the defined users could become root.
I hope it is clear.
Many thanks for your help.
Regards,

Eric.
0 Kudos
Reply
9 REPLIES 9
Bharat Katkar
Honored Contributor

‎06-16-2004 07:46 PM

‎06-16-2004 07:46 PM

Re: Root access

Hi,
Any user who wants to become root uses "su" command. If you control the Owner/Permission of the same then it is possible.
Also create /etc/securetty file and add "CONSOLE" to it so that direct root login is only possible thr' console other's have to use su to get root access.

Hope that helps,
regards,
You need to know a lot to actually know how little you know
0 Kudos
Reply
Sanjay Kumar Suri
Honored Contributor

‎06-16-2004 07:47 PM

‎06-16-2004 07:47 PM

Re: Root access

Any user with UID=0 in /etc/passwd has root powers.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Reply
Bruno Ganino
Honored Contributor

‎06-16-2004 07:59 PM

‎06-16-2004 07:59 PM

Re: Root access

Try with Modification of permission or with settings of password to /etc/passwd.
See man ...
chgrp chown
HTH
Bruno
Torino (Turin) +2H
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-16-2004 08:03 PM

‎06-16-2004 08:03 PM

Re: Root access

Beside using the UID of zero in the password file, which is an extremely bad idea, you can use 'su -' which will ask for a password to be entered. There are other ways of course to delegate root related tasks, these are from a 'restricted sam' and my favourite 'sudo'. There are many posts on both of these subjects. Take the time to review some of them. Access to the root password and root access should be treated with utmost caution.
Anyone for a Mutiny ?
0 Kudos
Reply
MATHE
Occasional Contributor

‎06-16-2004 08:06 PM

‎06-16-2004 08:06 PM

Re: Root access

Many Thanks for your answers.
I'm going to check it.
Regards,
ERuc.
0 Kudos
Reply
Michael Tully
Honored Contributor

‎06-16-2004 08:26 PM

‎06-16-2004 08:26 PM

Re: Root access

One further thing. All attempts to use root from 'su -' are logged into /var/adm/sulog
You can also use this file to audit unsuccessful attempts as well. Using 'root' directly as a login, is a bad idea and should be discouraged by using the /etc/securetty file.
Anyone for a Mutiny ?
0 Kudos
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎06-16-2004 11:14 PM

‎06-16-2004 11:14 PM

Re: Root access

If you're looking to limiit who can become root, you can put an entry in /etc/default/security such as:

SU_ROOT_GROUP=

Then only people who are a member of that group can su to root - even if the others know the password (provided you eliminate direct login of root).

Not only is this good for security, but it can prevent users from locking the root user ID due to login attempts because they were doing a su and mistyped.
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎06-17-2004 12:07 AM

‎06-17-2004 12:07 AM

Re: Root access

Eric.
Don't forget to assign points for replies those were helpful.
Refer the link below for more clarification.

http://forums1.itrc.hp.com/service/forums/helptips.do?admit=716493758+1085211538437+28353475#33

Don't mind. :))
Thanks,

Bharat
You need to know a lot to actually know how little you know
0 Kudos
Reply
Mark Grant
Honored Contributor

‎06-17-2004 12:40 AM

‎06-17-2004 12:40 AM

Re: Root access

Seems to me that there isn't a great deal of point in restricting the users that can su to root. If you restrict "su to root" to only userA then all you have done is made naughty userB have to run his/her password cracking code on userA's account first. Doesn't help too much.

Best not let anyone have root access if it's particularly important. Keep root password in an envelope in a safe. You then need human authorization (and a key) to access it.

Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.