Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: root access
Operating Systems AIX root access Post 302217637 by bakunin on Wednesday 23rd of July 2008 08:03:24 AM
Old 07-23-2008
Quote:
Originally Posted by djdavies
I'm an inexperienced Aix admin so i was wondering is this a good idea to totally stop root access?
That depends on what you want to achieve: usually the direct root access is forbidden to force admins to use "su" or some "sudoed" variant of it. The reason is that this event (someone issuing "su" to become root) is traceable and therefore auditable. If, say, ten people are logged in as root and someone does something really stupid you can't determine who that was from machine logs. By the way: "auditable" doesn't mean "more secure". "Auditable" means you can blame someone - after having done something really stupid. ;-)

Quote:
Is it ok just to leave it so you can only su to root ? I can see the benefits, but just wondered if it would cause any problems?
See above. Exactly this (root access only permitted via "su") ist what the given command is providing. The benefits, btw. are quite limited, IMHO: if an Admin does want to hurt you s/he can as well edit the logs and destroy his/her traces. Therefore this is not a security measure against the malevolent ones but against the malevolent AND extremely silly ones - you wouldn't have hired them in first place if they are extremely silly, wouldn't you?

On the other hand people do make errors. If there are no malevolent admins in your staff and disaster strikes, because, basically, shit happens - you will have to ask yourself if blaming someone for it in public really will make things better.

Quote:
Also do you need to have the CDE running? or stop that as well so that there is no console? only say ssh access?
CDE is just a GUI, not a console. Of course you can switch it off ("/usr/dt/bin/dtconfig -d" or "smitty dtconfig" to do it via SMIT), but doing so changes only the behavior of a terminal, not its existence. Instead of the CDE login screen you will see the "herald" (configurable in /etc/security/login) and the "login:" prompt, but essentially you can do the same there as you can do on the CDE login screen.

My suggestion: switch it off! It is a resource hog and has no benefit anyways.

A "console" is a special case of a terminal: a terminal which is physically attached to the machine it belongs to. This is the case, for instance, with a serial terminal directly connected via a nullmodem cable to the serial connector of the machine. Switching this way of access off is possible but makes sense only for machines not situated in a (locked) data center. For the usual case of restricted physical access to the machines (data center, etc.) this is only useful as a PITA device for the service technicians and SysAdmins.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. Linux

how to access root priveliges if root password is lost

wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies

2. SCO

root access

We have SCO 5.0.5 and can't log into system as "root". The system indicates the password is incorrect. No one knows what happened. How can we resolve this issue.. Are there files we can restore from backup...? Any suggestions would be appreciated. Thank you.. (2 Replies)
Discussion started by: RBurer
2 Replies

3. UNIX for Dummies Questions & Answers

To What files root does not have access to??

Hi, I just wanted to know to what files root does not have access, not even read....I read that .profile for any user is the only file which root cannot access is it true..??...If we have to use passwords and ID's in a script can we use them in .profile and call them as parameters..??? ... (2 Replies)
Discussion started by: mgirinath
2 Replies

4. Shell Programming and Scripting

To What files root does not have access to??

Hi, I just wanted to know to what files root does not have access, not even read....I read that .profile for any user is the only file which root cannot access is it true..??...If we have to use passwords and ID's in a script can we use them in .profile and call them as parameters..??? ... (3 Replies)
Discussion started by: mgirinath
3 Replies

5. Solaris

Security of root access

Hi, The security auditor give a this statement , what to do ? On my solaris system (S10) "The User ID "root" should not be used on the system - the su and the priviledged account should be used from each administrator for accountability purposes" What to do ? (3 Replies)
Discussion started by: falcon16
3 Replies

6. UNIX for Dummies Questions & Answers

How to allow access to some commands having root privleges to be run bu non root user

hi i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies

7. Shell Programming and Scripting

How to give root access to non root user?

Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal. I want to give some users a root level access. Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way Regards ADI (4 Replies)
Discussion started by: adisky123
4 Replies

8. SuSE

Auditors want more security with root to root access via ssh keys

I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner: 1) Remote root access is turned off in the sshd_config file. 2) I am the only user of this admin... (6 Replies)
Discussion started by: dvbell
6 Replies

9. Ubuntu

Root access that can't change root password?

We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
Discussion started by: 244an
2 Replies

10. OS X (Apple)

Root access in OSX 10.12.2.

Mac users... I updated this MBP from OSX 10.12.1 to the brand new OSX 10.12.2 two days ago. A week ago I installed the Xcode suite. Now the QT shell audio capture in another recent thread is broken when exporting a file. It gives an error in a window, paraphrasing, The action is not... (4 Replies)
Discussion started by: wisecracker
4 Replies

LEARN ABOUT X11R4

sulogin

sulogin(1M)						  System Administration Commands					       sulogin(1M)

NAME

       sulogin - access single-user mode

SYNOPSIS

       sulogin

DESCRIPTION

       The  sulogin  utility  is  automatically invoked by init when the system is first started. It prompts the user to type the root password to
       enter system maintenance mode (single-user mode) or to type  EOF (typically <CTRL-D>) for normal startup (multi-user mode). The user should
       never directly invoke sulogin.

       The  sulogin utility can prompt the user to enter the root password on a variable number of serial console devices, in addition to the tra-
       ditional console device. See consadm(1M) and msglog(7D) for a description of how to configure a serial device to  display  the  single-user
       login prompt.

FILES

       /etc/default/sulogin    Default value can be set for the following flag:

			       PASSREQ	       Determines if login requires a password. Default is PASSREQ=YES.

       /etc/default/login      Default value can be set for the following flag:

			       SLEEPTIME       If  present,  sets  the number of seconds to wait before login failure is printed to the screen and
					       another login attempt is allowed. Default is 4 seconds. Minimum is 0 seconds. Maximum is 5 seconds.

					       Both su(1M) and login(1) are affected by the value of SLEEPTIME.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsr			   |
       +-----------------------------+-----------------------------+

SEE ALSO

	login(1), consadm(1M), init(1M), su(1M), attributes(5), msglog(7D)

SunOS 5.10							    25 Sep 2002 						       sulogin(1M)
All times are GMT -4. The time now is 05:55 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy