HPE Community
Operating System - HP-UX
1846876 Members
3000 Online
110256 Solutions
New Discussion

Re: syslog: NIS attack

 
thom_14
Regular Advisor

‎07-09-2008 01:39 PM

‎07-09-2008 01:39 PM

syslog: NIS attack

We use a scheme for granting developers and testers root perms on systems via an "su" account, which is basically an /etc/passwd entry similar to their normal account, but with a UID of 0. Conventions aside, that's the way they've been doing it and they're happy with, so that's what I've been asked to do.

ie:
norsu:ZZZZZZZZZZ.,n.xS:0:3::/root/users/norsu:/sbin/sh
markdsu:ZZZZZZZZZZ:0:3::/root/users/markdsu:/sbin/sh
thomfsu:ZZZZZZZZZZ:0:3:Thom Fitzpatrick SU,1-916-XXX-XXXX,Roseville,thom.fitzpatrick@hp.com,thomf:/root/users/thomfsu:/bin/ksh
dhyniesu:ZZZZZZZZZZ:0:3:Daniel Hynie SU,1-916-XXX-XXXX,Roseville,daniel.hynie@hp.com,dhynie:/root/users/dhyniesu:/bin/ksh

On a couple of newer 11.23 boxes, I'm getting some push-back - from the OS!

# su - thomfsu
su: unknown login thomfsu
Jul 9 14:29:32 amkibld06 syslog: NIS attack, user thomfsu has uid 0
amkibld06:/root/users/root #

I did some googling, and it appears that this is a change in the behavior of rlogind. My question is this: is there a way to get around this new restriction, or has my paradigm been sprained?
0 Kudos
Reply
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

‎07-09-2008 02:46 PM

‎07-09-2008 02:46 PM

Re: syslog: NIS attack

Hi:

Your environment is a disaster waiting to happen. Multiple uid=0 accounts mean that the first time you do something like:

# find / -user markdsu -exec rm -rf {} +

...to clean off "makdsu" because that developer has left your shop...you remove all files and directories owned by 'root' (uid=0).

If your argument is accountability, I submit that you said it was a developer's system; and I submit that *one* uid=0 (viz. the real 'root' account) is sufficient given the fact that your '/var/adm/sulog' tracks the transitions from any user account to 'root'.

Regards!

...JRF...
0 Kudos
Reply
MarkSyder
Honored Contributor

‎07-09-2008 11:50 PM

‎07-09-2008 11:50 PM

Re: syslog: NIS attack

If you really need those users to have access to root commands you need sudo.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
thom_14
Regular Advisor

‎07-10-2008 07:19 AM

‎07-10-2008 07:19 AM

Re: syslog: NIS attack

I understand the various problems with this scheme, but I inherited it almost 10 years ago. I *tried* at one point to implement sudo, but it went over like a lead balloon (MythBusters notwithstanding). We have this arrangement where they tell me what they want done and pay me to do it; unfortunately it doesn't work the other way around...
0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎07-11-2008 07:00 AM

‎07-11-2008 07:00 AM

Re: syslog: NIS attack

Hi,

I think this is a good time, to tell your developers, that the current (unsafe) method of the xxxsu - accounts is no longer possible under the new OS.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
thom_14
Regular Advisor

‎07-11-2008 09:01 AM

‎07-11-2008 09:01 AM

Re: syslog: NIS attack

I found a temporary workaround. It seems that only rlogind exhibits this behavior at this point, so if you rlogin to the box (yes, that's a whole 'nother box of worms) then you can't su to the XXXsu UID 0 user. However, you can still telnet or ssh directly to the box as the XXXsu user, it works fine.

Apart from all this, it seems silly that rlogind reports this as an NIS issue.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.