Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Switch user(su) two times
Operating Systems AIX Switch user(su) two times Post 302519633 by bakunin on Wednesday 4th of May 2011 12:38:24 PM
Old 05-04-2011
Quote:
Originally Posted by mtwain
I was asking this question from the perspective of audit. I should have given this detail before.
We are so relaxed here, even auditors are welcome and get answers. ;-))


Quote:
Originally Posted by mtwain
I wanted to review the appropriateness of people who can su to ABC.
I think you are looking in the wrong direction. See below.

Quote:
Originally Posted by mtwain
A) Given the above info, to determine only appropriate people can su to ABC, do I also need to look at people who can su to root?
Yes.

Quote:
Originally Posted by mtwain
B) Will su away from root to ABC prompt a user to enter password of ABC
No.

Quote:
Originally Posted by mtwain
C) If su away from root to ABC does not prompt the user to enter password of ABC, basically any user who can su to root can access ABC. In that case, the focus should be on people who can su to root without entering root password. How can I know which accounts have been configured to su to root without entering root password. Is there some configuration list I can review to know these accounts?
Here it comes: in principle nobody should be allowed to become root without a password and in principle nobody is. Having said that, i will try to explain in the most non-technical fashion i can muster:

It simply makes no sense to identify people over and over again. A password is a device to identify people - "prove that you are X by entering a password only X would know". If you make someone enter the password, say, 2 times, this enhances security not one bit. Admins often have many systems to administer and usually all these systems have the same people responsible for them. As the admin switches from one system to the other he has to log on over and over again always proving to a system he is still the same as he has been the last second. This is why clever people have developed several ways to centralize this identification process and this is why it sometimes looks like an admin is able to get into a system as root without a password. This is also the reason why you might be looking not in all the necessary places. Let me explain some of the possibilities:


1) Centralized user administration

A host maintains a directory of users along with a secret to identify them (usually the password) and some credentials they have (things they are allowed to do). It is easy to conceive that it might be a good idea to centralize this information for several hosts thus creating user accounts valid for either a single host or a group of (or even all those) hosts. Basically they all work the same way: if a system should decide to let a user something do it doesn't look in its own directories of user rights but asks a centralized server for that information.

Some of these systems are: Kerberos, LDAP, DCE, NISplus, in the Windows world the pendants are Active Directory, E-Directory, X.400 and there are probably some i don't know. If your environment includes one of these systems you have to look there too and not only in the local machine.


2) sudo

To give someone the right to become root is a "everything or nothing"-decision. Either s/he is allowed to become root or not. To make this a bit more specific and adjustable there is a tool called "sudo". Basically it allows you to execute certain commands as another user (quite like "su - ... -c", see post above) but without having to enter the other users password. You enter your own password instead to identify you (or none at all). If one has to execute a certain command as root you had to give him the root password before and s/he was free to do whatever s/he wants as root, now it is possible to give him the right to execute exactly this command as root but nothing else - and don't give the root password away.

I can't explain here the complete list of possible rules which govern this process, but there is a simple check: look for a file "/etc/sudoers" and if it is there sudo is most probably used. You will have to investigate the ruleset then too.


3) ssh-keys

This is a similar idea to 1), but this time not in a centralized but a distributed way: if you connect to one system as a certain user you identify yourself. If you are allowed to connect to another system as a certain user from there it simply makes no sense to identify you again. You generate a private-/public-key pair and store the public key in a keyring on the target system after connecting to it the conventional way (with a password). From now on you don't need a password but the key pair is used to identify you.

This works only on host-user pairs and only in one direction. If you connect to host a as user a[A] and then exchange keys to connect without passwords to host b as user b[B] this doesn't mean you can connect backwards to host a as user a[A] without a password too - you would have exchange the keys in the other direction in the same manner to make that mechanism work both ways. Neither is it possble for some user c[A] on host c to connect as b[B] - this would also require to use the procedure of key exchange described above.

To find out if someone can connect to the user account using ssh keys look in the directory "~/.ssh" (default name, could be different on your system, but usually isn't) for a file "authorized_keys" (again: default name). If it exists and has entries (read it with a simple text editor) then these user/host combinations are allowed to connect to this account without password.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Non-interactive user switch to root

Is is possible switch user from a non-root user to root user without entering the password interactively inside a korn shell script which is run by a non-root user? e.g. I have a non-root user called infodba who is in dba group and I want to create a shell script which is executed by infodba... (5 Replies)
Discussion started by: stevefox
5 Replies

2. UNIX for Dummies Questions & Answers

Expect command to switch user

Hi I have written a script to switch user and do some operations. I used expect command it doesn't work. It switches the user and waits for the Password to be entered manually. Also, i tried to fetch the pasword from passwd file, it didn't work.The script is as below: ... (4 Replies)
Discussion started by: Sapna_Sai
4 Replies

3. Shell Programming and Scripting

Switch to different user without expect

Hi, I have to switch to a different user and execute certain commands and then come back to the original user Ex: My id is 'usstage'. I need to switch to 'apstage', souce a script there, execute a function and then get back again to usstage. Please note that I do not have expect installed... (4 Replies)
Discussion started by: sugan
4 Replies

4. Shell Programming and Scripting

Switch User in within a Shell Script

Hi Experts, I'm trying to write a shell script to stop few things where i have to use another user to execute a command. Otherwise it will not work. Your help is really appreciated Thanks, (16 Replies)
Discussion started by: Afi_Linux
16 Replies

5. Shell Programming and Scripting

switch as another user without password

I want to switch as another user without using password .Is it posiible ? I have one server B and I have logged in as username u1 but I want to login to that same server using username as u2 but I don't want to give the password for u2. (3 Replies)
Discussion started by: maitree
3 Replies

6. Shell Programming and Scripting

switch user from local user to root in perl

Hi Gurus, I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password. It seems that i need to use expect module here, but i don't know how to create the object for this. ... (1 Reply)
Discussion started by: linuxgeek
1 Replies

7. UNIX for Dummies Questions & Answers

switch user (su) not sourcing the profile

Usually in solaris/Linux servers , when you do an su - username (space before and after the hyphen) the user's .profile should get sourced. But in the below linux machine it is not. As you see below ORACLE_HOME variable is not being set. # uname -a Linux revaltb214 2.6.18-238.el5 #1 SMP Sun... (7 Replies)
Discussion started by: John K
7 Replies

8. Shell Programming and Scripting

Switch user terminal error

Hello All, Here I am trying to login a Linux machine as admin user from a Solaris box.. & then switch to root user.. Code I use: ssh admin@<IP> << END su - root << A echo "Hello I am logged in as root" exit A exit END But the error I get.. su: must be run from a... (3 Replies)
Discussion started by: ailnilanjan
3 Replies

9. Shell Programming and Scripting

How to Switch from Local user to root user from a shell script?

Hi, I need to switch from local user to root user in a shell script. I need to make it automated so that it doesn't prompt for the root password. I heard the su command will do that work but it prompt for the password. and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Discussion started by: Little
1 Replies

10. UNIX for Beginners Questions & Answers

How to switch user in shell script?

HI in a server we can't login with root user directly but i can login with different user and then i can switch to root user by su command Requirement is there anyway where i can write a script without mentioning password in file as mentioning the root password is not the... (3 Replies)
Discussion started by: scriptor
3 Replies
All times are GMT -4. The time now is 08:25 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy