HPE Community
Operating System - HP-UX
1752577 Members
3734 Online
108788 Solutions
New Discussion

Script for non root user to reset passwords. Use UID 0? sudo? Or is there another way?

 
John Jimenez
Super Advisor

‎05-04-2012 10:28 AM

‎05-04-2012 10:28 AM

Script for non root user to reset passwords. Use UID 0? sudo? Or is there another way?

We want our help desk to be able to reset passwords in one of production UNIX servers and also reset password in the application on top of it.      Help desk currently does not use UNIX or this application.... so teaching them restricted SAM or teaching them password screen in our application is not an option.  .

 

I already have script  that root can use to achieve this. but I do not want give root password to help desk personnel      I have some ideas on how to achieve this.   I can se up:

 

1)  logins for each help desk personnel.    Modify the script to use sudo.    Put script in .profile?  

2)  a new user with UID 0.   Put script in .profile.     Have all help desk personnel use this login.

 

Which is a bettor and safer way? Or is there a better solution?     I am leaning towards #1, but want to get some feedback for you guys on why I should or not do this.

 

Thanks again,

Hustle Makes things happen
0 Kudos
Reply
2 REPLIES 2
Dennis Handly
Acclaimed Contributor

‎05-04-2012 11:49 PM

‎05-04-2012 11:49 PM

Re: Script for non root user to reset passwords. Use UID 0? sudo? Or is there another way?

Using sudo safer since you can lock in exactly what script to use.

For UID 0, you would have to make sure the user doesn't get out of your .profile script.

(A better way would be to change that user's shell to your script.)

0 Kudos
Reply
ManojK_1
Valued Contributor

‎05-06-2012 12:46 AM

‎05-06-2012 12:46 AM

Re: Script for non root user to reset passwords. Use UID 0? sudo? Or is there another way?

Hi,

 

As per my experience the best method is RBAC (Role based access control). Through RBAC you can assign privilage to normal users to execute root only allowed commands.It is the best and safer methods.

 

If audit service is enabled. You can track the executed commands.

 

Following url will provide you better understanding.

http://h21007.www2.hp.com/portal/download/files/unprot/hpux/RBACv1_HP-UX11i.pdf

 

Thanks and Regards,

Manoj K

Thanks and Regards,
Manoj K
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.