08-15-2018
Actually, another process would be to use what is know as a dual password account.
I'll over simplify for now.
a) have a privileged account - i.e., let's say to suroot. This account is either added to sudoers, or setup using RBAC to be more powerful. "Audit" is also setup to monitor this accounts activity.
b) have two "key accounts", each of these have it's own password - which could be shared or coming from the vault. Each of these account has /bin/false as shell.
c) when access to "suroot" is needed TWO people (one from a "group" or vault access to key-1 password, and another with access to key-2 password)
* start by entering "suroot" as username at login (e.g., console) prompt. System will prompt for password from key-1; then system will prompt for password of account key-2 - and the login will complete with "suroot" the active user.
Note: if key-1 or key-2 try to login it will always "fail" because the shell is /bin/false (even root cannot "su" to that userid).
Hope this helps.
10 More Discussions You Might Find Interesting
1. HP-UX
Hi
I have been asked to find out how to
1) create users
2) reset passwords
3) kill processes that may require root privileges
without having root password, sudo rights or rights to passwd command
Any ideas?
Thanks in advance (1 Reply)
Discussion started by: emealogistics
1 Replies
2. Solaris
Dear
i have installed Solaris 10 on SUN V240
after installation i can not access system through root user
if i access system through any other user it conects but root is not connecting through LAN
if i connect through SC and then access root though cosole -f command it also works
kindly... (6 Replies)
Discussion started by: rizwan225
6 Replies
3. Shell Programming and Scripting
Hi,
I need to access a user's command history. However, the dilemma is that he is logged in and so his current history is not yet flushed to .bash_history file which gets flushed when he logs out. Is there a way I can still access his most recent history?
thank you,
S (4 Replies)
Discussion started by: sardare
4 Replies
4. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
5. Shell Programming and Scripting
Can Anybody help to create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel. Modules are object binaries that can be dynamically loaded into the kernel.
... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies
6. Homework & Coursework Questions
Problem statement.
In this part of the assignment, delegates will create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel, delegate will create a module.... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies
7. Cybersecurity
Tails (LiveCD) is crap, and I'm being nice here. Bloated, contains HAMRADIO and PACKET RADIO modules which no one in their right mind would use on a distro aimed at Tor use, I don't even believe 1% of Linux users use them, yet they're generated right there in the directories. Google about ham radio... (0 Replies)
Discussion started by: chipinmybrain
0 Replies
8. Shell Programming and Scripting
Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal.
I want to give some users a root level access.
Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way
Regards
ADI (4 Replies)
Discussion started by: adisky123
4 Replies
9. Solaris
Hello,
It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only.
This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file.
Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies
10. UNIX for Advanced & Expert Users
Hi All,
I have to install an application which needs access to system BIOS information.
The application needs to be installed by non root user.
How would i grant read privileges of /dev/mem file to the non root user so that it can capture system BIOS information while running the application?... (13 Replies)
Discussion started by: Soumyadip Dutta
13 Replies
LEARN ABOUT REDHAT
passwd
PASSWD(5) File formats PASSWD(5)
NAME
passwd - password file
DESCRIPTION
Passwd is a text file, that contains a list of the system's accounts, giving for each account some useful information like user ID, group
ID, home directory, shell, etc. Often, it also contains the encrypted passwords for each account. It should have general read permission
(many utilities, like ls(1) use it to map user IDs to user names), but write access only for the superuser.
In the good old days there was no great problem with this general read permission. Everybody could read the encrypted passwords, but the
hardware was too slow to crack a well-chosen password, and moreover, the basic assumption used to be that of a friendly user-community.
These days many people run some version of the shadow password suite, where /etc/passwd has *'s instead of encrypted passwords, and the
encrypted passwords are in /etc/shadow which is readable by the superuser only.
Regardless of whether shadow passwords are used, many sysadmins use a star in the encrypted password field to make sure that this user can
not authenticate him- or herself using a password. (But see the Notes below.)
If you create a new login, first put a star in the password field, then use passwd(1) to set it.
There is one entry per line, and each line has the format:
account:password:UID:GID:GECOS:directory:shell
The field descriptions are:
account the name of the user on the system. It should not contain capital letters.
password the encrypted user password or a star.
UID the numerical user ID.
GID the numerical primary group ID for this user.
GECOS This field is optional and only used for informational purposes. Usually, it contains the full user name. GECOS means
General Electric Comprehensive Operating System, which has been renamed to GCOS when GE's large systems division was sold
to Honeywell. Dennis Ritchie has reported: "Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos
field in the password file was a place to stash the information for the $IDENTcard. Not elegant."
directory the user's $HOME directory.
shell the program to run at login (if empty, use /bin/sh). If set to a non-existing executable, the user will be unable to
login through login(1).
NOTE
If you want to create user groups, their GIDs must be equal and there must be an entry in /etc/group, or no group will exist.
If the encrypted password is set to a star, the user will be unable to login using login(1), but may still login using rlogin(1), run
existing processes and initiate new ones through rsh(1), cron(1), at(1), or mail filters, etc. Trying to lock an account by simply chang-
ing the shell field yields the same result and additionally allows the use of su(1).
FILES
/etc/passwd
SEE ALSO
passwd(1), login(1), su(1), group(5), shadow(5)
1998-01-05 PASSWD(5)