02-20-2016
Most UNIX have root not locked unless using RBAC perhaps but accessible to only very limited devices where ordinary people have no access...
Thats is why servers are in white? rooms where security is high and only the sysadms have access...
To answer
Quote:
would the system and its contents be inaccessible?? This is pure curiosity.
The only system I found with root disabled was a lab machine configured with another sysadm of my team, we were trying all figures to go further in security... and so using RBAC we disabled root account... Fine till we forgot the passwords... And realised we were doomed, though my friend and collegue is highly specialized in solaris ( as I had no small HPUX to use at the time ) this was a sparc/solaris 10, we just could not find a way to get back at the system, OK we may did more than just RBAC as we were trying to highly secure... So on one hand we achieved what we wanted, on the other we saw the silly situation we were in for not remembering the passwords...
Morality?
I am sure all serious sysadm configures his boxes with a backdoor only it may not be at a user level, and the minimum security to my eyes is to not let direct connection from the net unless dedicated lan to root even via ssh, using su/sudo only and having root only accessible from console which should be a real dedicated console (/dev/console...) on serial port or dedicated lan for lan consoles
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Why, when you type in an obviously invalid login, does UNIX give you an opportunity to type in a password? Is it a security thing? (1 Reply)
Discussion started by: grassaj
1 Replies
2. UNIX for Dummies Questions & Answers
Hi all
I am administering Linux boxes (running rehat linux 7.3 and 8.0).
The other day I tried to ssh from 1 linux box to the other. I was root on the client box. Surprisingly, I could login as root into the host after giving the password!! I am unable to get root login from a SSH client... (2 Replies)
Discussion started by: skotapal
2 Replies
3. UNIX for Dummies Questions & Answers
hi all,
what file(s) needs to be changed and in what way in order to do the following:
when user A logs onto freebsd 4.8 automaticaly he needs to start up a script a made that executes:
sets ltp0 in polling mode,
executes tn5250 keyboard mapping
starts tn5250 with the correct parameters.
... (2 Replies)
Discussion started by: termiEEE
2 Replies
4. Shell Programming and Scripting
I have been searching how to do this and haven't been able to make it work. When I login to our Unix machine running SunOS 5.8 it automatically starts in csh but I want bash. I don't have access to chsh or password commands so I guess I need to change .profile or .login or .cshrc? Which one and... (2 Replies)
Discussion started by: blackw
2 Replies
5. Solaris
I post this question because it seems that no many people will knows about this. I hope to meet some real guru to help me out. Here is the question:
I isntalled solaris 10 on Sun sparc 64 bit machine. I can login as root user through GUI or console. After I created an Oracle user, I only can... (1 Reply)
Discussion started by: duke0001
1 Replies
6. UNIX for Advanced & Expert Users
I post this question because it seems that no many people will knows about this. I hope to meet some real guru to help me out. Here is the question:
I isntalled solaris 10 on Sun sparc 64 bit machine. I can login as root user through GUI or console. After I created an Oracle user, I only can... (2 Replies)
Discussion started by: duke0001
2 Replies
7. UNIX for Dummies Questions & Answers
Hey everyone,
I'am a little new here and experincing Unix for the first time. I was wondering if somone could help me with this question i'am a bit stuck on
Looking at the content of .profile login script
The .profile file is in your login directory. It is a startup script file... (1 Reply)
Discussion started by: worldsoutro
1 Replies
8. Red Hat
hi Guys , I m completely new to this environment.
I m working in linux gnu operating type.
I have root user access to this machine and i have created a user named scott using useradd command then set its password using passwd command.
Now my problem is i m not able to loggin using this new... (4 Replies)
Discussion started by: pinga123
4 Replies
9. Shell Programming and Scripting
Hi all,
I am OpenBSD newbie and currently need to manage some OpenBSD firewalls running pf. The OpenBSD version is 4.8
As the other sys admins are not so familiar with OpenBSD, so I have an idea across in my mind on how to minimize the root account usage and other unnecessary access and make... (9 Replies)
Discussion started by: lcxpics
9 Replies
10. Solaris
Hi Folks,
I am studying for my 1z0-821 exam and I would like to clarify an answer to the following question :
You have a ticket from a new user on the system, indicating that he cannot log in to his account.
The information in the ticket gives you both the username and password. The ticket... (2 Replies)
Discussion started by: Ravneet_Pal
2 Replies
LEARN ABOUT NETBSD
usermod
USERMOD(8) BSD System Manager's Manual USERMOD(8)
NAME
usermod -- modify user login information
SYNOPSIS
usermod [-FmoSv] [-C yes/no] [-c comment] [-d home-dir] [-e expiry-time] [-f inactive-time] [-G secondary-group] [-g gid | name | =uid]
[-L login-class] [-l new-login] [-p password] [-s shell] [-u uid] user
DESCRIPTION
The usermod utility modifies user login information on the system.
Default values are taken from the information provided in the /etc/usermgmt.conf file, which, if running as root, is created using the built-
in defaults if it does not exist.
See user(8) for more information about EXTENSIONS.
After setting any defaults, and then reading values from /etc/usermgmt.conf, the following command line options are processed:
-C yes/no
Enable user accounts to be temporary locked/closed. The yes/no operand can be given as ``yes'' to lock the account or ``no'' to
unlock the account.
-c comment
Set the comment field (also, for historical reasons known as the GECOS field) for the user. The comment field will typically include
the user's full name and, perhaps, contact information for the user.
-d home-directory
Set the home directory without populating it; if the -m option is specified, tries to move the old home directory to home-directory.
-e expiry-time
Set the time at which the account expires. This can be used to implement password aging. It should be entered in the form ``month
day year'', where month is the month name (the first three characters are sufficient), day is the day of the month, and year is the
year. Time in seconds since the epoch (UTC) is also valid. A value of 0 can be used to disable this feature. This value can be
preset for all users using the expire field in the /etc/usermgmt.conf file. See usermgmt.conf(5) for more details.
-F Force the user to change their password upon next login.
-f inactive-time
Set the time at which the password expires. See the -e option.
-G secondary-group
Specify a secondary group to which the user will be added in the /etc/group file. The secondary-group may be a comma-delimited list
for multiple groups. Or the option may be repeated for multiple groups. (16 groups maximum.)
-g gid | name | =uid
Give the group name or identifier to be used for the user's primary group. If this is '=uid', then a uid and gid will be picked
which are both unique and the same, and a line will be added to /etc/group to describe the new group. This value can be preset for
all users by using the group field in the /etc/usermgmt.conf file. See usermgmt.conf(5) for more details.
-L login-class
Set the login class for the user. See login.conf(5) for more information on user login classes. This value can be preset for all
users by using the class field in the /etc/usermgmt.conf file. See usermgmt.conf(5) for more details. This option is included if
built with EXTENSIONS.
-l new-user
Give the new user name. It can consist of alphanumeric characters and the characters '.', '-', and '_'.
-m Move the home directory from its old position to the new one. If -d is not specified, the new-user argument of the -l option is
used; one of -d and -l is needed.
-o Allow duplicate uids to be given.
-p password
Specify an already-encrypted password for the user. This password can then be changed by using the chpass(1) utility. This value
can be preset for all users by using the password field in the /etc/usermgmt.conf file. See usermgmt.conf(5) for more details. This
option is included if built with EXTENSIONS.
-S Allow samba user names with a trailing dollar sign to be modified. This option is included if built with EXTENSIONS.
-s shell
Specify the login shell for the user. This value can be preset for all users by using the shell field in the /etc/usermgmt.conf
file. See usermgmt.conf(5) for more details.
-u uid Specify a new uid for the user. Boundaries for this value can be preset for all users by using the range field in the
/etc/usermgmt.conf file. See usermgmt.conf(5) for more details.
-v Enable verbose mode - explain the commands as they are executed. This option is included if built with EXTENSIONS.
Once the information has been verified, usermod uses pwd_mkdb(8) to update the user database. This is run in the background. At very large
sites this can take several minutes. Until this update is completed, the password file is unavailable for other updates and the new informa-
tion is not available to programs.
EXIT STATUS
The usermod utility exits 0 on success, and >0 if an error occurs.
FILES
/etc/usermgmt.conf
SEE ALSO
chpass(1), group(5), passwd(5), usermgmt.conf(5), pwd_mkdb(8), user(8), useradd(8), userdel(8)
HISTORY
The usermod utility first appeared in NetBSD 1.5. It is based on the addnerd package by the same author.
AUTHORS
The usermod utility was written by Alistair G. Crooks <agc@NetBSD.org>.
BSD
January 13, 2009 BSD