HPE Community
Operating System - HP-UX
1834811 Members
2099 Online
110070 Solutions
New Discussion

Re: Superuser rights

 
Leif Halvarsson_2
Honored Contributor

‎05-23-2002 04:35 AM

‎05-23-2002 04:35 AM

Superuser rights

Hi
Is it possible to give "Superuser righta" to a "ordinary" user.
0 Kudos
Reply
11 REPLIES 11
Pete Randall
Outstanding Contributor

‎05-23-2002 04:36 AM

‎05-23-2002 04:36 AM

Re: Superuser rights

You can make there uid 0 in /etc/passwd - that makes them a root equivalent. A better approach might be to look into the sudo package.

Good luck,
Pete

Pete
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-23-2002 04:39 AM

‎05-23-2002 04:39 AM

Re: Superuser rights

Yes but with lots of warnings: don't change the user's UID to zero...major problems can occur. Don't give the user the root password unless they know as much as you do and always ask before making any changes.

Instead, get a copy of sudo from the Liverpool Archive:

http://hpux.connect.org.uk/

This program allows you (as root) to specify not only which users get superuser privileges but also which commands they can use and even which parameters are legal. For instance, you could allow many users to mount and umount a CDROM by specifying the mount command along with one devicefile. Any attempt to use the wrong commands or parameters will fail and logged.


Bill Hassell, sysadmin
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-23-2002 04:40 AM

‎05-23-2002 04:40 AM

Re: Superuser rights

I would consider using "sudo" if I were you.
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/
0 Kudos
Reply
Bill McNAMARA_1
Honored Contributor

‎05-23-2002 04:45 AM

‎05-23-2002 04:45 AM

Re: Superuser rights

you could also consider restricted sam

run
sam -r
as root and allocate permissions to groups/users.

Later,
Bill
It works for me (tm)
0 Kudos
Reply
John Bolene
Honored Contributor

‎05-23-2002 04:57 AM

‎05-23-2002 04:57 AM

Re: Superuser rights

Bill, what problems can happen with putting the uid to zero?

I have been operating that way for years with no problems that I know of.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-23-2002 05:02 AM

‎05-23-2002 05:02 AM

Re: Superuser rights

Hi Leif:

In the interest of "completeness", there is another classic approach, albeit frowned upon for security. That is to use a 'setuid' script to provide an ordinary user some special function.

You would create a Posix shell script with the shell interpreter specified:

#!/usr/bin/sh

If the name of the script were '/usr/local/bin/mysh' then, do:

# chown root:dba /usr/local/bin/mysh
# chmod 4110 /usr/local/bin/mysh

Users of the group 'dba' can now execute 'mysh' with the effective uid=0.

Notice that while they can execute the shell, they cannot read nor 'vi' it, thus providing a certain measure of security.

Regards!

...JRF...
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-23-2002 05:10 AM

‎05-23-2002 05:10 AM

Re: Superuser rights

Hi John:

The "classic" error with having multiple uid=0 accounts is that you (or your successor) fail to notice that user 'john' has a uid=0, and proceed to remove 'john' from the server by name:

# find \ -user john -exec rm {} \;

...you just removed all files belonging to uid=0 (root's !!!)

[...time for an Ignite recovery ;-) ]

Regards!

...JRF...
0 Kudos
Reply
Victor_5
Trusted Contributor

‎05-23-2002 05:34 AM

‎05-23-2002 05:34 AM

Re: Superuser rights

Yes, sudo is a good idea. Another point is add the user name into every group, e.g. adm, bin, root and sys. You can get the similar permissions with root, but not exactly same with root.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎05-23-2002 11:35 AM

‎05-23-2002 11:35 AM

Re: Superuser rights

John,

Besides what JRF pointed out there are numerous applications which will error from this as well.

Lets add the fact that a simple usermod can trash your OS.

Next
Because if it's easy use, most applications use your UID from getpwnum(). Of the remaining programs they will use the Name from getpwnam().
Rarely programs grab your full password entry getpwent().

I for one dont want to sit with developers on the phone trying to debug their apps when I have problems!

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-23-2002 11:38 AM

‎05-23-2002 11:38 AM

Re: Superuser rights

Hi Leif,

If the user id is set to 0, the user will have superuser rights on the system. To create such a user id, try,

useradd -u 0 -0 -g root -G root -d /user_home_dir -s /sbin/sh user_name

Hope this helps.

Regds
0 Kudos
Reply
Leif Halvarsson_2
Honored Contributor

‎05-24-2002 03:02 AM

‎05-24-2002 03:02 AM

Re: Superuser rights

Hi
Thanks evrybody for your answers.
The security in ny case is no problem, this is not "real" users but application owners as "oracle", "dmadmin" etc. in fact it is the same person as root (I). This question is related to a question in another forum where I also get some answeres.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x20d191ccb36bd611abdb0090277a778c,00.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.