Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Best practices for sugroups for root ? backdoor user access ?
Operating Systems AIX Best practices for sugroups for root ? backdoor user access ? Post 303021725 by MichaelFelt on Wednesday 15th of August 2018 01:28:08 PM
Old 08-15-2018
Actually, another process would be to use what is know as a dual password account.

I'll over simplify for now.

a) have a privileged account - i.e., let's say to suroot. This account is either added to sudoers, or setup using RBAC to be more powerful. "Audit" is also setup to monitor this accounts activity.

b) have two "key accounts", each of these have it's own password - which could be shared or coming from the vault. Each of these account has /bin/false as shell.

c) when access to "suroot" is needed TWO people (one from a "group" or vault access to key-1 password, and another with access to key-2 password)
* start by entering "suroot" as username at login (e.g., console) prompt. System will prompt for password from key-1; then system will prompt for password of account key-2 - and the login will complete with "suroot" the active user.

Note: if key-1 or key-2 try to login it will always "fail" because the shell is /bin/false (even root cannot "su" to that userid).

Hope this helps.
 

10 More Discussions You Might Find Interesting

1. HP-UX

user commands without root access

Hi I have been asked to find out how to 1) create users 2) reset passwords 3) kill processes that may require root privileges without having root password, sudo rights or rights to passwd command Any ideas? Thanks in advance (1 Reply)
Discussion started by: emealogistics
1 Replies

2. Solaris

I can not access root user through LAN

Dear i have installed Solaris 10 on SUN V240 after installation i can not access system through root user if i access system through any other user it conects but root is not connecting through LAN if i connect through SC and then access root though cosole -f command it also works kindly... (6 Replies)
Discussion started by: rizwan225
6 Replies

3. Shell Programming and Scripting

access user history as root

Hi, I need to access a user's command history. However, the dilemma is that he is logged in and so his current history is not yet flushed to .bash_history file which gets flushed when he logs out. Is there a way I can still access his most recent history? thank you, S (4 Replies)
Discussion started by: sardare
4 Replies

4. UNIX for Dummies Questions & Answers

How to allow access to some commands having root privleges to be run bu non root user

hi i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies

5. Shell Programming and Scripting

Urgent Help...Pseudo-Device provides a Backdoor Entry to root.

Can Anybody help to create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel. Modules are object binaries that can be dynamically loaded into the kernel. ... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies

6. Homework & Coursework Questions

The pseudo-device provides a “backdoor” for gaining root access for a particular user.

Problem statement. In this part of the assignment, delegates will create a pseudo-device and write a device driver for it. The pseudo-device provides a “backdoor” for gaining root access for a particular user. Instead of compiling the device driver into the kernel, delegate will create a module.... (1 Reply)
Discussion started by: nyjilgeorge1
1 Replies

7. Cybersecurity

Linux Universal Packet/Ham Radio Backdoor - root!

Tails (LiveCD) is crap, and I'm being nice here. Bloated, contains HAMRADIO and PACKET RADIO modules which no one in their right mind would use on a distro aimed at Tor use, I don't even believe 1% of Linux users use them, yet they're generated right there in the directories. Google about ham radio... (0 Replies)
Discussion started by: chipinmybrain
0 Replies

8. Shell Programming and Scripting

How to give root access to non root user?

Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal. I want to give some users a root level access. Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way Regards ADI (4 Replies)
Discussion started by: adisky123
4 Replies

9. Solaris

Sudo access of rm to non-root user

Hello, It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only. This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file. Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies

10. UNIX for Advanced & Expert Users

Non root user access to /dev/mem

Hi All, I have to install an application which needs access to system BIOS information. The application needs to be installed by non root user. How would i grant read privileges of /dev/mem file to the non root user so that it can capture system BIOS information while running the application?... (13 Replies)
Discussion started by: Soumyadip Dutta
13 Replies

LEARN ABOUT MOJAVE

mnthome

mnthome(1)						    BSD General Commands Manual 						mnthome(1)

NAME

     mnthome -- mount an AFP (AppleShare) home directory with the correct privileges

SYNOPSIS

     mnthome [-v] [-d] [-m mntpath] [-n] [-b] [-p password] [-i] [-x mount point] [-u] [-s]

DESCRIPTION

     The mnthome command unmounts the AFP (AppleShare) home directory that was automounted as guest, and remounts it with the correct privileges
     by logging into the AFP server using the current username and password.  This command also allows you to have guest access turned off on your
     AFP server too and still have AFP home directories work with "su".

     When you ssh into another computer using an account that has an AFP home directory or you "su <netuser>" where <netuser> is an AFP home
     directory user, then the resulting home directory will not have the correct access privileges.

     This is because automount is assuming NFS behavior which assumes that all computers share the same user/group privileges and mounts volumes
     using "no security" and lets the client enforce privileges based on the current user.

     AFP is different since the privileges are based on the user that logged into the server.  Since automount does not put up an authentication
     dialog asking for an user name and password, automount mounts the fileserver using guest login.  Thus you end up with getting the world
     access privileges and the privileges are shown via "mapping".  You also would have to allow guest access to the server to that sharepoint.

     Mapping makes all the files/folders appear like they are owned by the current user.  Even those items not really owned by the current user
     show up as being owned by the current user.  The server provides user access rights (UARights) which is a summary of what the access rights
     are regardless of the category (owner, group, world) from which they were obtained.  When doing "mapping", the AppleShare client will take
     these UARights and show them as the owner rights.	So, everything looks like it is owned by the current user and the owner rights are set to
     the UARights.  Thus if you had access to that file/folder before, then you still do.

     The options are:

     -v      Display version number.

     -d      Print debugging information.

     -m      Alternative mount point is specified with the -m option followed by a path to an existing directory.  Normally, the volume is mounted
	     in /Network/Servers/ or /var/automount/Network/Servers/.

     -n      Do not force the unmount of the previous mount point.

     -b      Exec the user's shell after mount of home.

     -p      A password may be specified with the -p option followed by a password.  If this option is not used, then the user will be prompted to
	     enter in a password.

     -i      Display information about the AFP home mount point.

     -u      Attempt to unmount the current home directory mount.

     -x      This option must be followed by a path to an existing AFP mount point.  Display information about the mount point.

     -s      Skip preflight check to see if the currently mounted home directory is already correctly mounted for the user.

EXAMPLES

     The following example illustrates how to mount an AFP home directory:

	   mnthome

     This example shows how to print the debugging information and provide a password:

	   mnthome -d -p foobar

SEE ALSO

     mount(2), unmount(2), mount(8) mount_afp(8)

BUGS

     I get the mounting url from the "home_loc" attribute and the mountpath from the "home" attribute (with the path from home_loc subtracted
     out).  If your AFP home directory automounts in a different location, then you need to use the -m option to specify an alternative mount
     point.

     I cant figure out how to cd out of the current home dir so I can do the unmount and then restore the user back into the new home dir.  If you
     are in the AFP home directory when you use mnthome, you automatically get put back into that same directory when mnthome leaves.  If mnthome
     works, then your current directory is a dead directory and you need to "cd ~" to get to your new home directory.

     If the server with the home directory was already mounted by another user, you will not be able to replace it with a mount made by your user
     id.  The original mount must be first unmounted by the mounting user or root.

HISTORY

     The mnthome command first appeared Mac OS X version 10.3.

RETURN VALUES

     0			mnthome successfully remounted the AFP home directory.

     [EINVAL]		Invalid arguements were passed in.

     [EPERM]		The current AFP home directory could not be unmounted by mnthome because the current user does not have the correct
			access.  The current AFP home directory was probably mounted by another user first.

     [EAUTH]		Incorrect password.

Mac OS X							  August 4, 2004							  Mac OS X
All times are GMT -4. The time now is 05:38 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy