HPE Community
Operating System - HP-UX
1820475 Members
2979 Online
109624 Solutions
New Discussion юеВ

System Default Accounts

 
john guardian
Super Advisor

тАО09-07-2007 12:46 AM

тАО09-07-2007 12:46 AM

System Default Accounts

This question concrens Run Control Scripts... IE: /sbin/rc* and /sbin/init.d scripts.

Is it acceptable/secure for the user ADM to be listed as the file's GROUP owner?

Is the user ADM considered a DEFAULT SYSTEM ACCOUNT similar to ROOT,SYS,BIN and OTHER?

I don't believe I've ever seen a DEFAULT OS INSTALL where any of the "rc" scripts were owned (GROUP OWNED) by ADM.

Anyone?
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

тАО09-07-2007 12:51 AM

тАО09-07-2007 12:51 AM

Re: System Default Accounts

Shalom,

No, it is unacceptable to make the adm user user zero.

It is fine to have a startup script that does an su - username -c command. That is a very normal practice.

You should probably talk to the vendor and ask them why they did this.

I'm guessing its just a sloppy Q&A situation. I know of no third party products other than Cyborg that require this level of privileges to start. You can bet I gave Cognos a lot of trouble over this.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО09-07-2007 12:52 AM

тАО09-07-2007 12:52 AM

Re: System Default Accounts

Nope. Me either.

# ll /sbin/rc?.d |grep adm
lrwxr-xr-x 1 root 42 21 Mar 15 2004 K140webadmin -> /sbin/
init.d/webadmin
lrwxr-xr-x 1 root root 22 Mar 15 2004 S206clean_adm -> /sbin
/init.d/clean_adm
lrwxr-xr-x 1 root 42 21 Mar 15 2004 S860webadmin -> /sbin/
init.d/webadmin
lrwxr-xr-x 1 bin bin 29 Mar 15 2004 S996vradmind -> /sbin/
init.d/vras-vradmind.sh


Pete

Pete
0 Kudos
Reply
john guardian
Super Advisor

тАО09-07-2007 12:57 AM

тАО09-07-2007 12:57 AM

Re: System Default Accounts

Actually, ADM hasn't been made user/uid zero. One or two of the script listings look something like :

-r-xr-x-rx root adm <script_name>

So, ADM is simply listed as the GROUP OWNER of this script.

I've never seen this and didn't think it was acceptable.

So, once again, I still wonder whether ADM is considered a default system account?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО09-07-2007 01:01 AM

тАО09-07-2007 01:01 AM

Re: System Default Accounts

Hi John:

> Is it acceptable/secure for the user ADM to be listed as the file's GROUP owner?

This should be acceptable. After all, it's the root user under which the startup/shutdown scripts actually execute.

> Is the user ADM considered a DEFAULT SYSTEM ACCOUNT similar to ROOT,SYS,BIN and OTHER?

Yes, 'adm' is one of the standard, default groups. You will find this group associated with '/var/adm', for example.

Generally the '/sbin/init.d' scripts are owned by 'bin' with 'bin' as their group, too.

Regards!

...JRF...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО09-07-2007 01:04 AM

тАО09-07-2007 01:04 AM

Re: System Default Accounts

ADM is one of the default **GROUPS** in /etc/groups as part of the OS install.

The GROUP permission you are seeing has NOTHING to do with any of the users in /etc/passwd. ADM is a valid default user as well, though the user and the group ADM are separate things.

I don't know that having ADM as the group on some of the rc scripts is necessarily normal, but I don't think it is a disaster waiting to happen either. All of the scripts run as root when the system is booting anyway so the owner and group don't necessarily matter much.

If it makes you nervous, change it to match the other scripts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.