02-20-2016
Most UNIX have root not locked unless using RBAC perhaps but accessible to only very limited devices where ordinary people have no access...
Thats is why servers are in white? rooms where security is high and only the sysadms have access...
To answer
Quote:
would the system and its contents be inaccessible?? This is pure curiosity.
The only system I found with root disabled was a lab machine configured with another sysadm of my team, we were trying all figures to go further in security... and so using RBAC we disabled root account... Fine till we forgot the passwords... And realised we were doomed, though my friend and collegue is highly specialized in solaris ( as I had no small HPUX to use at the time ) this was a sparc/solaris 10, we just could not find a way to get back at the system, OK we may did more than just RBAC as we were trying to highly secure... So on one hand we achieved what we wanted, on the other we saw the silly situation we were in for not remembering the passwords...
Morality?
I am sure all serious sysadm configures his boxes with a backdoor only it may not be at a user level, and the minimum security to my eyes is to not let direct connection from the net unless dedicated lan to root even via ssh, using su/sudo only and having root only accessible from console which should be a real dedicated console (/dev/console...) on serial port or dedicated lan for lan consoles
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Why, when you type in an obviously invalid login, does UNIX give you an opportunity to type in a password? Is it a security thing? (1 Reply)
Discussion started by: grassaj
1 Replies
2. UNIX for Dummies Questions & Answers
Hi all
I am administering Linux boxes (running rehat linux 7.3 and 8.0).
The other day I tried to ssh from 1 linux box to the other. I was root on the client box. Surprisingly, I could login as root into the host after giving the password!! I am unable to get root login from a SSH client... (2 Replies)
Discussion started by: skotapal
2 Replies
3. UNIX for Dummies Questions & Answers
hi all,
what file(s) needs to be changed and in what way in order to do the following:
when user A logs onto freebsd 4.8 automaticaly he needs to start up a script a made that executes:
sets ltp0 in polling mode,
executes tn5250 keyboard mapping
starts tn5250 with the correct parameters.
... (2 Replies)
Discussion started by: termiEEE
2 Replies
4. Shell Programming and Scripting
I have been searching how to do this and haven't been able to make it work. When I login to our Unix machine running SunOS 5.8 it automatically starts in csh but I want bash. I don't have access to chsh or password commands so I guess I need to change .profile or .login or .cshrc? Which one and... (2 Replies)
Discussion started by: blackw
2 Replies
5. Solaris
I post this question because it seems that no many people will knows about this. I hope to meet some real guru to help me out. Here is the question:
I isntalled solaris 10 on Sun sparc 64 bit machine. I can login as root user through GUI or console. After I created an Oracle user, I only can... (1 Reply)
Discussion started by: duke0001
1 Replies
6. UNIX for Advanced & Expert Users
I post this question because it seems that no many people will knows about this. I hope to meet some real guru to help me out. Here is the question:
I isntalled solaris 10 on Sun sparc 64 bit machine. I can login as root user through GUI or console. After I created an Oracle user, I only can... (2 Replies)
Discussion started by: duke0001
2 Replies
7. UNIX for Dummies Questions & Answers
Hey everyone,
I'am a little new here and experincing Unix for the first time. I was wondering if somone could help me with this question i'am a bit stuck on
Looking at the content of .profile login script
The .profile file is in your login directory. It is a startup script file... (1 Reply)
Discussion started by: worldsoutro
1 Replies
8. Red Hat
hi Guys , I m completely new to this environment.
I m working in linux gnu operating type.
I have root user access to this machine and i have created a user named scott using useradd command then set its password using passwd command.
Now my problem is i m not able to loggin using this new... (4 Replies)
Discussion started by: pinga123
4 Replies
9. Shell Programming and Scripting
Hi all,
I am OpenBSD newbie and currently need to manage some OpenBSD firewalls running pf. The OpenBSD version is 4.8
As the other sys admins are not so familiar with OpenBSD, so I have an idea across in my mind on how to minimize the root account usage and other unnecessary access and make... (9 Replies)
Discussion started by: lcxpics
9 Replies
10. Solaris
Hi Folks,
I am studying for my 1z0-821 exam and I would like to clarify an answer to the following question :
You have a ticket from a new user on the system, indicating that he cannot log in to his account.
The information in the ticket gives you both the username and password. The ticket... (2 Replies)
Discussion started by: Ravneet_Pal
2 Replies
LEARN ABOUT REDHAT
usermod
USERMOD(8) System Manager's Manual USERMOD(8)
NAME
usermod - Modify a user account
SYNOPSIS
usermod [-c comment] [-d home_dir [-m]]
[-e expire_date] [-f inactive_time]
[-g initial_group] [-G group [,...]]
[-l login_name] [-p passwd]
[-s shell] [-u uid [-o]] [-L|-U] login
DESCRIPTION
The usermod command modifies the system account files to reflect the changes that are specified on the command line. The options which
apply to the usermod command are:
-c comment
The new value of the user's password file comment field. It is normally modified using the chfn(1) utility.
-d home_dir
The user's new login directory. If the -m option is given the contents of the current home directory will be moved to the new home
directory, which is created if it does not already exist.
-e expire_date
The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.
-f inactive_days
The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as
the password has expired, and a value of -1 disables the feature. The default value is -1.
-g initial_group
The group name or number of the user's new initial login group. The group name must exist. A group number must refer to an already
existing group. The default group number is 1.
-G group,[...]
A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no inter-
vening whitespace. The groups are subject to the same restrictions as the group given with the -g option. If the user is currently
a member of a group which is not listed, the user will be removed from the group
-l login_name
The name of the user will be changed from login to login_name. Nothing else is changed. In particular, the user's home directory
name should probably be changed to reflect the new login name.
-p passwd
The encrypted password, as returned by crypt(3).
-s shell
The name of the user's new login shell. Setting this field to blank causes the system to select the default login shell.
-u uid The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be non-negative.
Values between 0 and 99 are typically reserved for system accounts. Any files which the user owns and which are located in the
directory tree rooted at the user's home directory will have the file user ID changed automatically. Files outside of the user's
home directory must be altered manually.
-L Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password. You can't use this
option with -p or -U.
-U Unlock a user's password. This removes the '!' in front of the encrypted password. You can't use this option with -p or -L.
CAVEATS
usermod will not allow you to change the name of a user who is logged in. You must make certain that the named user is not executing any
processes when this command is being executed if the user's numerical user ID is being changed. You must change the owner of any crontab
files manually. You must change the owner of any at jobs manually. You must make any changes involving NIS on the NIS server.
FILES
/etc/passwd - user account information
/etc/shadow - secure user account information
/etc/group - group information
SEE ALSO
chfn(1), chsh(1), passwd(1), crypt(3), groupadd(8), groupdel(8), groupmod(8), useradd(8), userdel(8)
AUTHOR
Julianne Frances Haugh (jockgrrl@ix.netcom.com)
USERMOD(8)