HPE Community
Operating System - HP-UX
1833160 Members
3236 Online
110051 Solutions
New Discussion

Re: user with root access, but is not allowed to login

 
Victor_5
Trusted Contributor

‎08-30-2001 10:25 AM

‎08-30-2001 10:25 AM

user with root access, but is not allowed to login

I am trying to create a new user with root access, but is not allowed to login, that means, I only can su to this user, is that possible? Why?
0 Kudos
Reply
10 REPLIES 10
Patrick Wallek
Honored Contributor

‎08-30-2001 10:50 AM

‎08-30-2001 10:50 AM

Re: user with root access, but is not allowed to login

If you set up a user with an invalid password in the password filed in /etc/passwd, then you will only be able to do 'su - username' to get to that user. An invalid password would be a * in the password field in /etc/password.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-30-2001 10:51 AM

‎08-30-2001 10:51 AM

Re: user with root access, but is not allowed to login

I think /etc/securetty is effective for any user with id 0.

So, try out keeping "/dev/console" in /etc/securetty.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Victor_5
Trusted Contributor

‎08-30-2001 11:21 AM

‎08-30-2001 11:21 AM

Re: user with root access, but is not allowed to login

Hi Patrick:

I did the test, changed the second field of that user in /etc/passwd to '*', but when I issued the 'su - username', it still need password, so I was unable to switch to that user.

From my understanding, the system still need to read /etc/passwd even you issue su, after input invalid password, of course I can not login, but I cannot su either. More detail information?

Hi Sridhar:
On my system, I could not find the file:
/etc/securetty?
0 Kudos
Reply
Madhu Sudhan_1
Respected Contributor

‎08-30-2001 11:30 AM

‎08-30-2001 11:30 AM

Re: user with root access, but is not allowed to login

Shawn :

With '*' in the pasword field, a use will never be able to login. Iam assuming that this particular user is created manually. So easiest way to get out this problem is to remove '*' in the /etc/passwd filed and leave it blank ( You should be able to see :: in the password field ) then issue passwd command to have some known password and then change user-id field /etc/passwd to 0.


...Madhu
Think Positive
0 Kudos
Reply
Victor_5
Trusted Contributor

‎08-30-2001 11:52 AM

‎08-30-2001 11:52 AM

Re: user with root access, but is not allowed to login

Hi Madhu:

Good try! However, I need another different user not root, if change uid to 0 in /etc/passwd, when I create some file, the owner is root not another one which I need. Any other idea?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-30-2001 12:06 PM

‎08-30-2001 12:06 PM

Re: user with root access, but is not allowed to login

Shawn,

Simple

echo "/dev/console" >> /etc/securetty

And change the permissions to 600

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-30-2001 12:10 PM

‎08-30-2001 12:10 PM

Re: user with root access, but is not allowed to login

Sorry, one more idea.

As Patrick said, create a user with id 0 say superuser but keep the password as *. Now, this user cannot login because of the invalid password.

Keep .rhosts entry in superuser's home directory like this

your_system_name your_user

Now, your_user can successfully rlogin to the system and get in as the super_user.

This is a security violation. But having another user with uid 0 is more dangerous so I think this can be considered.

But /etc/securetty is the best way. This file will not be there by default. You need to create one.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎08-30-2001 12:11 PM

‎08-30-2001 12:11 PM

Re: user with root access, but is not allowed to login

I think I see what you are trying to do, but I am not sure it is possible. For a user other than root, to have all the same privileges as root, it must have uid 0. You can't create a user and assign privileges to it so that it is "equivalent" to root.

If a user needs to be able to execute something as root you can try 'sudo'. Sudo can be downloaded from the porting center.
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.2b1/

When I mentioned su'ing to a user with an invalid password, only root can do that. Sorry!

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-30-2001 12:16 PM

‎08-30-2001 12:16 PM

Re: user with root access, but is not allowed to login

Sorry for one more mail. I am very young to this forum.

I think I didn't explain the process well in my previous mail. Let's take the following as examples.

SYSTEM=your_system
ROOTACCOUNT=super_user
ORDINARYUSER=your_user

Edit .rhosts under the home directory of super_user and place the entry

your_system your_user

Now your_user will login to your_system using the normal way as an ordinary user.

Once gets onto the system, he does an rlogin to the SAME system

your_user@your_system$ rlogin your_system -l super_user

super_user@your_system#

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
linuxfan
Honored Contributor

‎08-30-2001 12:43 PM

‎08-30-2001 12:43 PM

Re: user with root access, but is not allowed to login

Hi Shawn,


How about trying something like this,
say you add a new user rroot with a uid of 0.

modify your /etc/profile by adding these

/Begin/

shellchk=$(ps -p $PPID | sed -n 2p | cut -c23 - | sed s/^-//)

if [[ $LOGNAME = "rroot" ]]
then
if [[ $shellchk = "telnetd" || $shellchk = "rlogind" ]]
then
echo "Sorry direct logging in as rroot is not allowed"
exit 1
fi
fi

/End/

what this would do is prevent rroot from directly logging in either by telnet or rlogind, if you use ssh, then you can probably add ssh as well.

I am sure there are lots of fine tuning you can do to this, but this seems to be working.

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.