su restrictions on HPUX 11.23 (1025 Views)
Reply
Advisor
Posts: 29
Registered: ‎04-30-2008
Message 1 of 15 (1,025 Views)

su restrictions on HPUX 11.23

Hi,

 

We need to enable passwords for root users when using su like "joroot" user has UID 0 or equivalent to root user. "joroot" can use "su - root" without password.

 

Query is if "joroot" is applying command "su - root", it must be prompt for password.

 

Thanks & Kind Regards,

 

Muhammad Ali

 

Acclaimed Contributor
Posts: 25,753
Registered: ‎03-06-2006
Message 2 of 15 (1,024 Views)

Re: su restrictions on HPUX 11.23

Since joroot has UID 0, it IS root and there is no need to do su nor check passwords.

Occasional Visitor
Posts: 5
Registered: ‎07-03-2011
Message 3 of 15 (1,022 Views)

Re: su restrictions on HPUX 11.23

Hi,

 

Still is there any possibility when joroot try to use "su - root" then it prompts for root password?

 

we need to implement this restriction as our internal requirement.

 

Thanks & Kind Regards,

 

Muhammad Ali

Acclaimed Contributor
Posts: 25,753
Registered: ‎03-06-2006
Message 4 of 15 (1,015 Views)

Re: su restrictions on HPUX 11.23

Even if it asked for a password, joroot would simply never use su since he IS root already.

Valued Contributor
Posts: 169
Registered: ‎06-16-2011
Message 5 of 15 (1,011 Views)

Re: su restrictions on HPUX 11.23

Hi,

 

i do not sure what are you trying to achive.

joroot itself UID 0 and why you need su -  and next step asking for password?

once the user owned UID 0, they can do anything event you put marvellous script such asking password su -, they can revert back.

 

Thanks

 

BR

Naj

 

 

 


____________________________________________
:: Really appreciate if you could assign some points.
:: Don't know how to assign point? Click the KUDOS! star!
Occasional Visitor
Posts: 5
Registered: ‎07-03-2011
Message 6 of 15 (1,010 Views)

Re: su restrictions on HPUX 11.23

Hi,

 

I know joroot has UID 0. But some users used to su - root and perform some tasks although they can use their userid like joroot since we want to monitor joroot activity but we are unable to track when they perform administrative tasks by using su - root.

 

That's why we want to restrict joroot to prompt for a password when using su - root.

 

Thanks & Kind Regards,

 

Muhammad Ali

 

 

 

Valued Contributor
Posts: 169
Registered: ‎06-16-2011
Message 7 of 15 (1,007 Views)

Re: su restrictions on HPUX 11.23

Hello,

Did joroot one of sudo user?
could you please be more specific what task that joroot not be perform?

Thanks

BR
Naj

____________________________________________
:: Really appreciate if you could assign some points.
:: Don't know how to assign point? Click the KUDOS! star!
Acclaimed Contributor
Posts: 25,753
Registered: ‎03-06-2006
Message 8 of 15 (1,005 Views)

Re: su restrictions on HPUX 11.23

How are you monitoring joroot activity?

 

Perhaps you should be using a management tool and not a software tool to manage your rogue sysadmins?

Occasional Visitor
Posts: 5
Registered: ‎07-03-2011
Message 9 of 15 (1,003 Views)

Re: su restrictions on HPUX 11.23

Hello,

 

Thanks for your reply.

 

Is there possiblity in hpux to prompt for a password when any user having uid 0 use su - root ?

 

if not then how to disable su?   

 

Thanks & Kind Regards,

 

Muhammad Ali

 

Occasional Visitor
Posts: 5
Registered: ‎07-03-2011
Message 10 of 15 (999 Views)

Re: su restrictions on HPUX 11.23

Hi,

 

By Audit trail.

 

Kindly suggest which management tool we can use to monitor root users activity?

 

Thanks & Kind Regards,

 

Muhammad Ali

Acclaimed Contributor
Posts: 25,753
Registered: ‎03-06-2006
Message 11 of 15 (1,007 Views)

Re: su restrictions on HPUX 11.23

The manager tells his employees that if you do X, it is grounds for dismissal.

Occasional Visitor
Posts: 1
Registered: ‎06-28-2011
Message 12 of 15 (999 Views)

Re: su restrictions on HPUX 11.23

Please check the file /var/adm/sulog

This logs information everytime su command is ran

 

Thanx

John

Acclaimed Contributor
Posts: 21,184
Registered: ‎07-06-2000
Message 13 of 15 (991 Views)

Re: su restrictions on HPUX 11.23

Hi:

 

First, having multiple 'root' (UID=0) accounts is extremely poor security and second, quite dangerous if you (or your successor) forget that the alternate account is really a root one and remove files "belonging" to it. 

 

Unix doesn't care what you call the account.  What matters is that the account maps to UID=0.  This is why you can't get your 'su' to prompt for a password.  As far as the software is concerned, you *are* root.

 

I suggest that you install 'sudo'.  This tool allows you to confer root privileges, to users specified in the 'sudoers' configuration file and allows you to track activity.  You can obtain a binary for installation from the HP-UX Porting Centre:

 

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.8.0/

 

Regards!

 

...JRF...

Honored Contributor
Posts: 1,314
Registered: ‎08-16-2006
Message 14 of 15 (982 Views)

Re: su restrictions on HPUX 11.23

Acclaimed Contributor
Posts: 25,753
Registered: ‎03-06-2006
Message 15 of 15 (977 Views)

Re: su restrictions on HPUX 11.23

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.