HPE Community
Operating System - HP-UX
1833779 Members
2060 Online
110063 Solutions
New Discussion

Re: Root login

 
SOLVED
Go to solution
Vito Sarducci
Regular Advisor

‎07-18-2001 06:28 AM

‎07-18-2001 06:28 AM

Root login

I had a funny thing happen this morning. We have a sudo script that we can run as administrators that allows us to reactivate the passwords if a user gets locked out. We have third party support that needs the root access and they locked root out this morning.

I went into SAM and modified the root password just before another administrator ran the reactivate sudo script. It locked everyone out of root. Then i went back into SAM and modified the the root password to its original password and logged out and it worked. The other administrators could not get into root.

Here is the script. Is there a gliche between the SAM modify password and the script we run?

#-- Set up globals
SCRIPT=`basename $0`
USAGE="usage: $SCRIPT [usercode]"
BOLD_ON=`tput smso`
BOLD_OFF=`tput rmso`
TCBDIR="/tcb/files/auth"

#-- Set up the FPATH environment for shell functions
export FPATH="/usr/local/functions:"
autoload FUNCTION_LIBRARY




#-----------------------------------------------------------------------#
# O U T E R B L O C K #
#-----------------------------------------------------------------------#

#-- Only the superuser may activate accounts
if [ `id -u` != 0 ]; then
print "Sorry. You must have superuser privileges to activate an account."
exit -1
fi

#-- Get usercode
USER=""
case "$#" in
0)
print "\nEnter a login name to be enabled or to exit: \c"
read USER
if [ "$USER" = "" ]; then
print "No user enabled."
exit 0
fi;;
1)
USER=$1;;
*)
print "$USAGE"
exit -1;;
esac

#-- Verify account
PWENTRY=""
PWENTRY=`grep "^$USER" /etc/passwd`
if [ -n "$PWENTRY" ]; then
FCHAR=`echo $USER | sed "s#\(^.\).*#\1#"`
if [ -r "$TCBDIR/$FCHAR/$USER" ] ; then
DONE=true
else
print "User ($USER) was not found in password database."
fi
else
print "User ($USER) was not found in the /etc/passwd file."
fi

#-- Allow operator a chance to bail out
print "\n\t$PWENTRY\n"
GET_YES_NO "Is this the entry you want to reactivate?"
if [ "$ANSWER" != Y ]; then
print "User ($USER) was not enabled."
exit 1
fi

#-- Enable the account just like SAM
/usr/lbin/modprpw -k "$USER" 1> /dev/null 2>&1

print "$BOLD_ON Account \"${USER}\" has been reactivated $BOLD_OFF"

exit 0

Can someone help me on this one? It looks as if this script doesnt work even if you go into SAM before you run this and modify the root password.

Chris
chrisam@rocketmail.com
Lifes too short to stress out, Enjoy every day you have on earth!
0 Kudos
Reply
2 REPLIES 2
Robin Wakefield
Honored Contributor

‎07-18-2001 07:07 AM

‎07-18-2001 07:07 AM

Re: Root login

Just a couple of thoughts, probably red herrings:

your grep "^$USER" should end with a ":" to cater for usernames of roota, rootb, etc.

Also, it might be worth redirecting the output of the modprpw to something other than /dev/null, and check its exit status.

If the two operations were executed simultaneously, then some sort of lock contention may be the cause.

Robin
0 Kudos
Reply
Wodisch
Honored Contributor

‎07-18-2001 10:27 AM

‎07-18-2001 10:27 AM

Solution

Re: Root login

Hello Chris,

the "-k" option of "modprpw" can only activate users
other than "root" - there you have to use "-x" (or it
is the other way round - one is working for users, the
other for "root", at least).
And insert that ":" at the end of your pattern for that
"grep" command!
HTH,
Wodisch
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.