HPE Community
Operating System - HP-UX
1833390 Members
3210 Online
110052 Solutions
New Discussion

Why you would need to set password to adm user ?

 
SOLVED
Go to solution
hector hernandez
Occasional Advisor

‎02-27-2004 10:25 AM

‎02-27-2004 10:25 AM

Why you would need to set password to adm user ?

There are special "users" on /etc/password (like adm, bin, deamon, nuucp, lp, etc). They "usually" have an asterisk on the password's field. I have always lived with that as a fact... Recently a security auditor ask me to set a password to them. Why I should do that ? How it does affect the system ?

Regards.

Hector Hdez.
0 Kudos
Reply
7 REPLIES 7
Sridhar Bhaskarla
Honored Contributor

‎02-27-2004 10:32 AM

‎02-27-2004 10:32 AM

Re: Why you would need to set password to adm user ?

Hi Hector,

A * in the password field against a login in /etc/passwd indicates that the password is locked (if this system is not trusted). On trusted system, it will be under /tcb/files/auth//login. They are good and secured in that way.

I don't know why one would want to set a password for these accounts. Setting a password will only open a chance for anyone to hack these accounts. That's how it affects the system.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-27-2004 10:33 AM

‎02-27-2004 10:33 AM

Re: Why you would need to set password to adm user ?

I wouldn't. I would leave them as is.

Ask your auditor WHY they want you to set a password on these accounts. They may be under the mistaken impression that the * means that anyone can log in. That is NOT true. The * is essentially an invalid password which would force someone to 'su - adm' to the account from the root user. No one else can log in to those accounts in any other fashion (unless you happen to set up sudo).

You COULD set passwords on those accounts without any major impact (as far as I know), but in my mind that would make your system LESS secure as there is now a password that could potentially be guessed. With the * there, there is NO password to guess, but you still can't log into the account directly.
Reply
Rita C Workman
Honored Contributor

‎02-27-2004 01:49 PM

‎02-27-2004 01:49 PM

Re: Why you would need to set password to adm user ?

As the others have stated...you wouldn't !

My question might be..How qualified is the person they hired as a Security Auditor for an HPUX system that doesn't know this? How well can they be doing their job, since they are asking you to make these accounts LESS secure?

Hmmmmmmm,
Rita
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-28-2004 01:37 AM

‎02-28-2004 01:37 AM

Re: Why you would need to set password to adm user ?

Setting a password in fact *lowers* security, by changing a 'no-login-ever' account into a 'no-login-until-password-broken' account.

Get this 'auditor' out of Your building, away from keyboards etc.
He obviously doesn't know what he's talking about, at least with respect to HP-UX.

OTOH, install the /etc/shadow patches for 11i, check that accounts have an invalid shell (i.e. /bin/false suits well) and nonexistand homedir to do what a better auditor might ask You for.
yesterday I stood at the edge. Today I'm one step ahead.
Reply
Paula J Frazer-Campbell
Honored Contributor

‎02-28-2004 02:08 AM

‎02-28-2004 02:08 AM

Re: Why you would need to set password to adm user ?

Hi

Your security auditor is asking you to weaken the security on these accounts and I would therefore look seriously at any other requests he/she makes on the unix systems.

AS said "*" means that these accounts cannot be logged into.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
sharif naser_1
Frequent Advisor

‎02-29-2004 08:15 AM

‎02-29-2004 08:15 AM

Re: Why you would need to set password to adm user ?

As far as i know, those account are dummy accounts if not used why to keep them.

it could be utilized as back door.

Regards,
Sharif
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎02-29-2004 08:34 AM

‎02-29-2004 08:34 AM

Solution

Re: Why you would need to set password to adm user ?

Hi Hector,

Check this doc for building a bastion host, section number 9 is about removing/securing uneeded pdeudo-accounts.

Building a Bastion Host Using HP-UX 11
DocId:USECKBAN00000800

Europe
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828
US
http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828

Regards,
Robert-Jan
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.