LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-03-2012, 08:00 AM   #1
smrutimandal
LQ Newbie
 
Registered: Nov 2007
Posts: 8

Rep: Reputation: 0
Things that can't be done without root password


Hi,

My case is about Solaris 10, but this should be the same for all *nix based OS.

I received a proposition to revoke root password from support teams. Can somebody let me know a list of tasks for which, logging-in using the root password is absolutely necessary.

A few examples I can think of

1. Logging into systems from Consoles when /var is at 100%.

2. Taking the system into Single user mode.

I know most of the tasks can be performed by Sudo. I want to know the tasks which can't be performed using sudo.

Thanks in advance.
 
Old 04-03-2012, 08:31 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166
Actually... every one of those rules are determined by the PAM (Programmable Authentication Modules) facility within Linux.

See: man pam
 
Old 04-03-2012, 10:03 AM   #3
smrutimandal
LQ Newbie
 
Registered: Nov 2007
Posts: 8

Original Poster
Rep: Reputation: 0
Off the shelf configuration

Quote:
Originally Posted by sundialsvcs View Post
Actually... every one of those rules are determined by the PAM (Programmable Authentication Modules) facility within Linux.

See: man pam
Hi sundialsvcs,

Thanks for the suggestion and I am not talking about going around this restriction. I just want to know, in a off the shelf configuration Solaris 10, what are tasks which can't be performed if you can get root privilege using sudo and your password BUT do not know the root password.

I know two, logging into the system from serial console when /var is at 100% and going to Single user mode.

Do you know any other tasks when the user will absolutely need the root password.

Thanks.
 
Old 04-05-2012, 08:54 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 11,026

Rep: Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278
Mainly anything can be done with sudo. But in case of any ploblem you would try to troubleshoot with direct root access. I have already seen some programs which tried to identify the user as the owner of the terminal (and in case of sudo it is not the root).
 
Old 04-06-2012, 02:30 AM   #5
smrutimandal
LQ Newbie
 
Registered: Nov 2007
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by pan64 View Post
Mainly anything can be done with sudo. But in case of any ploblem you would try to troubleshoot with direct root access. I have already seen some programs which tried to identify the user as the owner of the terminal (and in case of sudo it is not the root).
Thanks pan64, I see where you are coming from. Can you give me one example of such an application/program.
 
Old 04-06-2012, 03:38 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 11,026

Rep: Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278Reputation: 3278
Unfortunately I can't recall it, but I have an example, what I'm talking about.
This is a part of a perl script:

Code:
    $iam = (getlogin || getpwuid($<))[0] || &Splat("Error: Unable to determine who you are.\n");
    chomp($iam);
....
    chomp($ami = `/usr/ucb/whoami`);

    if ($iam ne $ami) {
         &Splat("Error: You are logged in as $ami not $iam\n");
    }
(Splat drops an error message and quits). See http://perldoc.perl.org/functions/getpwuid.html and http://perldoc.perl.org/functions/getlogin.html for explanation.

So based on how did you logged on (telnet, ssh, su, sudo, ....), this code may fail. perl uses the standard C functions, and as it is described here: http://fclose.com/p/linux/man/3p-getlogin/ getlogin function shall return ... the user name associated by the login activity with the controlling terminal of the current process - and not the current user.

Some tools check if they were started as root and sometimes they fail because of this behavior.
 
Old 04-09-2012, 09:26 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166Reputation: 3166
If you are (foolishly...) in the group that can issue sudo, and if (insanely...) the su command is one that is allowed, then of course you "are root" even if you do not know the login password to the so-named user. Only a security prompt that required you to enter the value of that password would be an obstacle ... and of course, you could merely use your rootly powers to fiddle with the password files.

It is possible, however, to set up a system to use (say...) LDAP authentication for various things, such that the login event and not any subsequent sudo tomfoolery is "the guiding determination," and an external (LDAP) server is the one that ultimately must be persuaded with regard to your prerogatives.

But it does bear repeating: sudo, if you permit it at all, must not permit the su command to be issued using it!
 
Old 04-12-2012, 06:02 PM   #8
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris 11.3, Oracle Linux, Mint, Tribblix
Posts: 9,746

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
Quote:
Originally Posted by smrutimandal View Post
My case is about Solaris 10, but this should be the same for all *nix based OS.
It is actually not the same.
Solaris 10 implements RBAC which allows configuring root as a role and no more as a user. That means direct logins as root are not allowed anymore.
Quote:
I received a proposition to revoke root password from support teams. Can somebody let me know a list of tasks for which, logging-in using the root password is absolutely necessary.
There should be no such tasks on Solaris 10 (outside login in single user mode). This limitation was fixed with Solaris 11.

Last edited by jlliagre; 04-12-2012 at 06:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Things that can't be done without root password smrutimandal Solaris / OpenSolaris 1 04-03-2012 08:02 AM
GNOME: Gain privileges using current user's password instead of root's password maxkukartsev Fedora 5 02-10-2012 09:46 AM
[SOLVED] In Ubuntu, can I turn off having to enter my password for some things. Advice Pro Linux - Newbie 2 02-16-2011 01:01 PM
/usr/bin/mysqladmin -u root -h yourhostname.yourdomain.com password 'new-password'? adred Linux - Server 2 03-14-2010 05:24 AM
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 10:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 01:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration