LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 07-25-2008, 09:30 PM   #16
ghostdog74
Senior Member
 
Registered: Aug 2006
Posts: 2,695
Blog Entries: 5

Rep: Reputation: 241Reputation: 241Reputation: 241

Use the UID to test for root as Mr.C has stated. Any user with UID of 0 has superuser privilege, regardless of username.
You might also want to use some passwd checking utility to check for users that have their UIDs set to 0 besides root. (or write a script to parse /etc/passwd).
 
Old 07-25-2008, 10:50 PM   #17
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by ghostdog74 View Post
Use the UID to test for root as Mr.C has stated. Any user with UID of 0 has superuser privilege, regardless of username.
You might also want to use some passwd checking utility to check for users that have their UIDs set to 0 besides root. (or write a script to parse /etc/passwd).
I did something similar to this when I was at my last job...

Code:
#!/bin/bash
maxcount=1
currcount=$(awk -F':' '{print $3}' /etc/passwd | grep '^0' | wc -l)
#
if [ ${currcount} -gt ${maxcount} ]; then
  echo "MORE THAN ONE USER WITH UID OF 0" | mailx -s "SECURITY: ERROR" name@email.com
fi
There is probably a better way...but this is how I do it...

-C

Last edited by custangro; 07-25-2008 at 10:58 PM.
 
Old 07-26-2008, 07:07 AM   #18
Vit77
Member
 
Registered: Jun 2008
Location: Toronto, Canada
Distribution: Mandriva, RHEL, Mageia, SuSE
Posts: 130

Rep: Reputation: 17
Quote:
Originally Posted by ghostdog74 View Post
Any user with UID of 0 has superuser privilege, regardless of username.
The clearest point of all this discussion. I was agree with that initially.

Quote:
Originally Posted by Mr. C. View Post
I said "convenience accounts"
Mr.C., I haven't still caught the convenience explanation. Or does it mean just switching between sh and csh by user name?

My estimates were built on my 9+ *Nix experience (not BSD, I've never used it). Thus, I know just one admin who renames root accounts, as he says, by force of habit (17years of nix experience, the age of R-commands...). Another one used it before, but gave up. But all others have never used renaming at all. That was the point of my statement. I didn't mean two or more uid=0 - accounts there.

What about "not for this case", I bet this code will work on the Suvra's box. User toor is in doubt in this situation, so checking for uid could allow hacker with uid=0 to perform the operation. It'd probably be stronger to check for both uid and username. Looks funny?
If a system is compromised, such ways don't work at all.
BTW, I remember that you said nothing about security...

And finally, Mr.C, sometimes you're trying to assure me of things I'm assured myself. So, let me express clearly my position.

I'm absolutely agree that uid=0 is more portable.
I'm agree that users should learn about UID/GID.
However, I'm afraid, Suvra has less than 25 nix experience, and he doesn't run some production server. So, I tried to make it easier, partially at the expense of some features which could never been used.
I'm agree about sometimes working code. Code should work stable in normal predefined conditions. However, there is no bug-free code in the world. Each program will fail in certain circumstances. Nevertheless, I agree that we should try to make it better.

I hope, it'll make the debates more constructive.
 
Old 07-26-2008, 07:17 AM   #19
Vit77
Member
 
Registered: Jun 2008
Location: Toronto, Canada
Distribution: Mandriva, RHEL, Mageia, SuSE
Posts: 130

Rep: Reputation: 17
Quote:
Originally Posted by custangro View Post
...And in the case of oracle I STILL wouldn't use the login name...I would do something similar to...
Code:
#!/bin/bash
#
oracleuser=oracle
oracleid=$(id -u oracle)
#
if [ $(id -u) -ne ${oracleid} ]; then
  echo "You are not the oracle user..."
  exit
fi
In case of normal functioning, it looks like if Var1 is true then Var2 = true... So, checking the account by its name would work not worse.
If there is something wrong in a system, however, such script could make the situation even worse...

You assented about "Code that just sometimes works by design"? And made Four mistakes in 6 lines...
#1 You don't use defined variable oracleuser. Well, it's a slip.
Then, how do you think the script will behave if there are:
#2 No oracle accounts?
#3 Several Oracle accounts?
#4 Several users with oracle's uid?
Absolutely good code is not exist. Even if you correct these, some other will appear...

Quote:
Originally Posted by custangro View Post
I've run across installations of oracle where the user name was something weird like ora
I've used Oracle from the version of 7 (with SCO), and I've never seen installations with non-'oracle' OS user... May be it was DB User? Or not *nix?

PS In the post #17, it'd be easier to get currcount this way:
awk -F':' '$3 == 0 {cnt++} END {print cnt}' /etc/passwd
 
Old 07-26-2008, 07:31 AM   #20
ghostdog74
Senior Member
 
Registered: Aug 2006
Posts: 2,695
Blog Entries: 5

Rep: Reputation: 241Reputation: 241Reputation: 241
Quote:
Originally Posted by Vit77 View Post
awk -F':' '$3 == 0 {cnt++} END {print cnt}' /etc/passwd
it needs to be emailed, OP's requirement
Code:
awk -F':' '$3 == 0 {cnt++} END {if(cnt>1) { cmd="mail ..."; system(cmd) }}' /etc/passwd
 
Old 07-26-2008, 10:56 AM   #21
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by Vit77 View Post
In case of normal functioning, it looks like if Var1 is true then Var2 = true... So, checking the account by its name would work not worse.
If there is something wrong in a system, however, such script could make the situation even worse...

You assented about "Code that just sometimes works by design"? And made Four mistakes in 6 lines...
#1 You don't use defined variable oracleuser. Well, it's a slip.
Then, how do you think the script will behave if there are:
#2 No oracle accounts?
#3 Several Oracle accounts?
#4 Several users with oracle's uid?
Absolutely good code is not exist. Even if you correct these, some other will appear...


I've used Oracle from the version of 7 (with SCO), and I've never seen installations with non-'oracle' OS user... May be it was DB User? Or not *nix?

PS In the post #17, it'd be easier to get currcount this way:
awk -F':' '$3 == 0 {cnt++} END {print cnt}' /etc/passwd
...So you are critiquing my "sample" code while your sample code looks like this?

Quote:
Originally Posted by Vit77
if [ "$LOGNAME" != "root" ]
then
echo You are not root user!
exit 1
fi

go on here...
Wow you are petty...


PS I never had good luck using a bang (!) in an echo...you may want to put it in quotes...(see I can be pathetic too...)

-C

Last edited by custangro; 07-26-2008 at 11:15 AM.
 
Old 07-26-2008, 11:40 AM   #22
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
I think its time for this thread to rest.
 
Old 07-26-2008, 12:00 PM   #23
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,935
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by Mr. C. View Post
I think its time for this thread to rest.
Unsubscribing

-C
 
Old 07-26-2008, 02:02 PM   #24
Vit77
Member
 
Registered: Jun 2008
Location: Toronto, Canada
Distribution: Mandriva, RHEL, Mageia, SuSE
Posts: 130

Rep: Reputation: 17
Quote:
Originally Posted by custangro View Post
...So you are critiquing my "sample" code while your sample code looks like this?
Unfortunately, nothing constructive again...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission Issue With Shell Script and .Jar File timmit Slackware 3 06-02-2008 07:33 AM
Shell Script Exporting Issue trek413 Linux - Software 1 11-01-2006 04:18 PM
ftp'ing via shell script issue closet geek Programming 6 09-20-2006 09:11 AM
issue with shell script chupacabra Linux - General 3 10-18-2002 08:12 PM
Out of guesses! (shell Script issue) chris Linux - General 2 12-10-2001 04:20 PM


All times are GMT -5. The time now is 11:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration