08-25-2011
Quote:
Originally Posted by
naveedaix
Can you please tell what are real threats and security risks for assigning root UID 0 to more than 1 person? how can we convince system admin to remove such rights are use SU for super user tasks.
Thanks for your reply
1) auditing
2) very dangerous to be root all of the time
3) use su
4) use sudo - even better in some cases
5) use roles if available.
6) if you need a proof of concept create an account for me on your system with uid 0. I will show you in 2 seconds why it it bad.
![Wink Smilie](https://www.unix.com/images/smilies/wink.gif)
This User Gave Thanks to frank_rizzo For This Post:
10 More Discussions You Might Find Interesting
1. AIX
Currently, I have about 7 servers and the uid for a given person is different on each server. I want to make the uid's the same for a given username on each server. I know how to change the uid via smit, but when I do the previous uid number shows up as the owner for the files of that username.... (4 Replies)
Discussion started by: mcateriny
4 Replies
2. UNIX for Dummies Questions & Answers
Is it possible given a uid to determine information about the person with the uid? An example would be simple information regarding what group and the name of the person associated with that uid. It seems there is probably an easy staring me in the face but i cant seem to find it... (3 Replies)
Discussion started by: dreaming1
3 Replies
3. AIX
Hello
I want to find out how I can make sure in AIX that the UIDs cannot be reused Until after 6 Months after the user has left.
Thanks,
Noori (4 Replies)
Discussion started by: noori
4 Replies
4. Shell Programming and Scripting
How do i go about getting the uid of the user and verify ?
if
then
echo "You are not a superuser, please login as a superuser"
exit1;
fi
the above code doesn't work. can some guru please help me.
1. how to get the uid of the user ? i know by typing id but how to... (7 Replies)
Discussion started by: filthymonk
7 Replies
5. Shell Programming and Scripting
Hi Guys,
I'd like to ask your advice on the following, I've written this script to terminate a given process by name:
#!/bin/bash
echo 'Please enter the process you wish to terminate'
read process
pid=$(pidof $process)
kill -9 $pid
echo $2
to make it safer I want it to reject the... (4 Replies)
Discussion started by: Lora Graham
4 Replies
6. Shell Programming and Scripting
i need a script to process a password file and based on the UIDs in the password file, generate the new UID that is 1 greater than the highest uid.
i have some script logic but i dont really understand it. any help?
#!/usr/bin/perl
##########################################
#... (3 Replies)
Discussion started by: livewire06
3 Replies
7. Shell Programming and Scripting
is tty command opens a process in the system if yes then why process got the userid????? (5 Replies)
Discussion started by: Mac91
5 Replies
8. UNIX for Dummies Questions & Answers
Hi folks!
I need you help to discover what's the impact of a duplicated UID in an operating system. What's the meaning when someone put in different users the same UID? (3 Replies)
Discussion started by: phcostabh
3 Replies
9. Solaris
Hi,
I want to change user id gefadm ,uid=0(root) gid=0(root) to uid=16649(isaadmin) gid=16284(dstage),
how can i change this uid ,gid one value to another value.
Please provide the steps how can i change , uid=0(root) gid=0(root) to uid=16649(isaadmin) gid=16284(dstage).
Thanks in advance for... (2 Replies)
Discussion started by: sridhardwh
2 Replies
10. Solaris
Hi All,
I have to give permission to one of the groups called as "ABC" as like the permissions of the group "UNIXADM".
Could you please some one help on this issue ? (3 Replies)
Discussion started by: ramareddi16
3 Replies
roles(1) User Commands roles(1)
NAME
roles - print roles granted to a user
SYNOPSIS
roles [ user ...]
DESCRIPTION
The command roles prints on standard output the roles that you or the optionally-specified user have been granted. Roles are special
accounts that correspond to a functional responsibility rather than to an actual person (referred to as a normal user).
Each user may have zero or more roles. Roles have most of the attributes of normal users and are identified like normal users in passwd(4)
and shadow(4). Each role must have an entry in the user_attr(4) file that identifies it as a role. Roles can have their own authorizations
and profiles. See auths(1) and profiles(1).
Roles are not allowed to log into a system as a primary user. Instead, a user must log in as him-- or herself and assume the role. The
actions of a role are attributable to the normal user. When auditing is enabled, the audited events of the role contain the audit ID of the
original user who assumed the role.
A role may not assume itself or any other role. Roles are not hierarchical. However, rights profiles (see prof_attr(4)) are hierarchical
and can be used to achieve the same effect as hierarchical roles.
Roles must have valid passwords and one of the shells that interprets profiles: either pfcsh, pfksh, or pfsh. See pfexec(1).
Role assumption may be performed using su(1M), rlogin(1), or some other service that supports the PAM_RUSER variable. Successful assumption
requires knowledge of the role's password and membership in the role. Role assignments are specified in user_attr(4).
EXAMPLES
Example 1: Sample output
The output of the roles command has the following form:
example% roles tester01 tester02
tester01 : admin
tester02 : secadmin, root
example%
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 An error occurred.
FILES
/etc/user_attr
/etc/security/auth_attr
/etc/security/prof_attr
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
SEE ALSO
auths(1), pfexec(1), profiles(1), rlogin(1), su(1M), getauusernam(3BSM), auth_attr(4), passwd(4), prof_attr(4), shadow(4), user_attr(4),
attributes(5)
SunOS 5.10 14 Feb 2001 roles(1)