HPE Community
Operating System - HP-UX
1834927 Members
2595 Online
110071 Solutions
New Discussion

Root disabled

 
abcbsuser
New Member

‎03-09-2001 11:50 AM

‎03-09-2001 11:50 AM

Root disabled

The root id was inadvertantly disabled after unsuccessful attempts to log in on an HP-UX L-class system running HP-UX 11.0. We have discovered that any "jow user" could disable the root id by just trying to log into root.
It is unacceptable to have to reboot to single user mode just to get root back. How can I remove the trusted system limitations from the root id?
0 Kudos
Reply
6 REPLIES 6
Patrick Wallek
Honored Contributor

‎03-09-2001 12:36 PM

‎03-09-2001 12:36 PM

Re: Root disabled

I am under the impression that even if root gets disabled, you should still be able to login as root from the Console. Someone suggested previously that you set up a user that has restricted sam access that can reset users when they are locked, including root.
0 Kudos
Reply
Brian Markus
Valued Contributor

‎03-09-2001 05:42 PM

‎03-09-2001 05:42 PM

Re: Root disabled

If your root user is locked out, assuming that your box was not compromised and your password is still good, you can log into the system console. HPUX has a fail-safe by default for root. However this can be turned off. If for some reason you do not have the password or can't remember it, you can reboot the machine and boot into single user mode. In single user mode by default you can change root's password with out knowing the old one. (Another thing that can be turned off)
If this system is trusted, you could use the command /usr/lib/modprpw -k user will re-enable the user, or VI the /tcb/files/auth/r/root file and take out the encrypted password string. This will allow you to login and it will prompt you for a new password.

I was the person that recommend in the forum to use the "Restricted Sam" just type sam -r this will bring you into a screen that looks just like your normal sam. It will pop up with a screen asking which user/group you would like to edit. Select your root alternate then click enable on all the features you wish them to have. You could also have another 0:3 root user. Just remember if you do this there is a possibility for SYSYTEM CRASH. Yes, system crash. I'll explain. All files with id of 0 should be user "root" if you make your root equivalent user named something that comes before root in the alphabet, (i.e. bubba) all of your files will say bubba:sys Most of your programs including SAM require the files to be owned by root and will puke!. (Don't ask how I know this) it was a major headache)

Hope this helps!!

Brian Markus
When a sys-admin say's maybe, they don't mean 'yes'!
0 Kudos
Reply
Satish Y
Trusted Contributor

‎03-10-2001 04:43 AM

‎03-10-2001 04:43 AM

Re: Root disabled

Hi,

Even root gets disabled u can log in as root through console if you know root password.
You can enable account by logging in as root in number of ways,

/usr/lbin/modprpw -k root
or
By SAm
or
Place charactor '@' after u_lock parameter in /tcb/files/auth/r/root file, like ...:u_lock@:...
or
Remove encrypted passwd string from /tcb/files/auth/r/root and login as root, this time it won't ask u for passwd and u can set a new passwd.

If u don't have passord for root there is no way other than bringing system in single-usar mode.

I advice you to build a restricted SAM user for enabling accounts with root previledges, so that even root got disabled in future u can login with that.

Hope this helps u.

Cheers...
Satish.
Difference between good and the best is only a little effort
0 Kudos
Reply
Joseph A Benaiah_1
Regular Advisor

‎03-10-2001 11:00 AM

‎03-10-2001 11:00 AM

Re: Root disabled

You could write a program in C to do this and code it so that only certain users can run it. I have done this as all our systems are trusted and people are frequently disabling the root passwords.

Regards,

Joseph.
0 Kudos
Reply
Vincenzo Restuccia
Honored Contributor

‎03-26-2001 02:37 AM

‎03-26-2001 02:37 AM

Re: Root disabled

Write a program C with /usr/sbin/reboot, permission chmod 4501 -r-s-----x.
0 Kudos
Reply
Philip Chan_1
Respected Contributor

‎03-26-2001 04:01 AM

‎03-26-2001 04:01 AM

Re: Root disabled

Hi,

You could re-try root login at the console as many times as you like, even if the account was being disabled due to excessive number of unsuccessful login attempts, or password expired due to ageing policy.

Your L-Class server may not have a physical console terminal attached to it, if that is the case then try either its LAN console or web console (got to be one of these).
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.