10-09-2007
Protect Account UID = 0
Hello,
Can someone give me some recommendations on how to protect this account? I understand that this account is an "operator" account and has root access.
Thanks in advance
9 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
We recently had an accidental delete from /. I hold the root password but others are allowed to sudo over to root to perform admin tasks. The only way I want to permit deletion from / is by physically being root (su -).
I'd like to add a line to the sudoers file which would permit all commands... (1 Reply)
Discussion started by: scottsl
1 Replies
2. UNIX for Dummies Questions & Answers
Is there a way to easily change an account to be a non login account (NP in the shadow) file?
I know I can just edit the file but that is not what we want to do. We use access control software and want to provide a way to set an account to be non-login using simple commands that can be mapped... (0 Replies)
Discussion started by: LordJezo
0 Replies
3. UNIX for Dummies Questions & Answers
I have access to 15+ UNIX boxes at work, and I do not consistently log onto all of them over time. When I do try to access one I havent been on in awhile, my account is locked as the password has expired.
I need to request to the UNIX SA's that the password expiration is 90 days and that if it... (1 Reply)
Discussion started by: stringzz
1 Replies
4. Linux
Hi ,
I am faceing lot of problem due to "disk space is not enough".
senerio is like as,
In system has 5 account.
a,b,c,d,e
say account c if very critical.
Due to other user's data, user 'c' is faceing disk space issue.
I want to dedicate 3 GB for user 'c'.
No user... (1 Reply)
Discussion started by: ashokd009
1 Replies
5. Linux
Hi Techs,
Please guide me the answer with the explanation.
Q1) What is the uid of an individual account which can access ftp/http?
Thanks in advance to all. (3 Replies)
Discussion started by: ajazshariff
3 Replies
6. Solaris
Hi Unix Gurus .
I have requirement where in which - I would like create duplicate root equivalent account with all the privileges equal to root. Is it possible to create this duplicate account with different UID. ?
this id i would like give it to my teams - who does multiple activities using... (2 Replies)
Discussion started by: johnavery50
2 Replies
7. Forum Support Area for Unregistered Users & Account Problems
Hi there,
I may have had a typo in my email previously provided. I have doublechecked my email for Scott's reply but havent seen it, so I am creating a new post.
My new email can be either one of these: <removed> or <removed>
I beleive my old email was <removed by admin>
thanks for your... (1 Reply)
Discussion started by: AKelam_MagnusA
1 Replies
8. How to Post in the The UNIX and Linux Forums
I have made password less connection to my remote account. and i tried to execute commands at a time. but i am unable to execute the commands.
ssh $ACCOUNT_DETAILS@$HOST_DETAILS
cd ~/JEE/*/logs/ (1 Reply)
Discussion started by: kishored005
1 Replies
9. Windows & DOS: Issues & Discussions
Hello,
Does anyone know what happens to your skype account if you close the outlook.com email account which are linked together? As you know they are both owned by Microsoft.
Thanks (0 Replies)
Discussion started by: milhan
0 Replies
LEARN ABOUT MOJAVE
krb5_auth_rules
krb5_auth_rules(5) Standards, Environments, and Macros krb5_auth_rules(5)
NAME
krb5_auth_rules - Overview of Kerberos V5 authorization
DESCRIPTION
When a user uses kerberized versions of the ftp, rdist, rcp, rlogin, rsh, or telnet clients to connect to a server, even if the user's
claimed Kerberos V5 identity is authenticated, the user is not necessarily authorized. Authentication merely proves that the user is "who
he says he is" to the Kerberos V5 authentication system. Authorization also needs to be done, since it determines if that Kerberos identity
is permitted to access the Solaris user account that the client wants to access.
Each user may have a private authorization list in a file ~/.k5login in his login directory (on the server). Each line in this file should
contain a Kerberos principal name of the form principal/instance@realm. If the server finds a ~/.k5login file, then access is granted to
the account if and only if the originating user is authenticated to one of the principals named in the ~/.k5login file.
If there is no ~/.k5login file, the originating user will then be checked against the gsscred table (see gsscred(1M)). If the originating
user's Kerberos V5 identity is in the gsscred table, and if the UNIX user id in the gsscred table corresponds to the user account the
client is trying access, then the originating user is granted access to the account on the server. If the UNIX user id does not match, then
the originating user is denied access.
For example, suppose the originating user has a principal name of jdb@ENG.ACME.COM and the target account is jdb-user. If jdb@ENG.ACME.COM
appears in the gsscred table with uid 23154 and if jdb-user appears in the user account database (see passwd(4)) with uid 23154, then
access to account jdb-user is granted. Of course, normally, the target account name in this example would be jdb and not jdb-user.
Finally, if there is no ~/.k5login file and if the originating user's Kerberos V5 identity is not in the gsscred table, then the user will
be granted access to the account if and only if all of the following are true:
o The user part of the authenticated principal name is the same as the target account name specified by the client.
o The realm part of the client and server are the same.
o The target account name exists on the server.
For example, if the originating user has a principal name of jdb@ENG.ACME.COM and if the server is in realm SALES.ACME.COM, then even if
jdb is a valid account name on the server, the client would be denied access. This is because the realms SALES.ACME.COM and ENG.ACME.COM
differ.
FILES
~/.k5login Per user-account authorization file.
/etc/passwd System account file. This information may also be in a directory service. See passwd(4).
ATTRIBUTES
See attributes(5) for a description of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO
ftp(1), rcp(1), rdist(1), rlogin(1), rsh(1), telnet(1), gsscred(1M), passwd(4), attributes(5), gss_auth_rules(5)
NOTES
To avoid security problems, the ~/.k5login file must be owned by the remote user.
SunOS 5.10 13 Apr 2004 krb5_auth_rules(5)