Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My case is about Solaris 10, but this should be the same for all *nix based OS.
I received a proposition to revoke root password from support teams. Can somebody let me know a list of tasks for which, logging-in using the root password is absolutely necessary.
A few examples I can think of
1. Logging into systems from Consoles when /var is at 100%.
2. Taking the system into Single user mode.
I know most of the tasks can be performed by Sudo. I want to know the tasks which can't be performed using sudo.
Actually... every one of those rules are determined by the PAM (Programmable Authentication Modules) facility within Linux.
See: man pam
Hi sundialsvcs,
Thanks for the suggestion and I am not talking about going around this restriction. I just want to know, in a off the shelf configuration Solaris 10, what are tasks which can't be performed if you can get root privilege using sudo and your password BUT do not know the root password.
I know two, logging into the system from serial console when /var is at 100% and going to Single user mode.
Do you know any other tasks when the user will absolutely need the root password.
Mainly anything can be done with sudo. But in case of any ploblem you would try to troubleshoot with direct root access. I have already seen some programs which tried to identify the user as the owner of the terminal (and in case of sudo it is not the root).
Mainly anything can be done with sudo. But in case of any ploblem you would try to troubleshoot with direct root access. I have already seen some programs which tried to identify the user as the owner of the terminal (and in case of sudo it is not the root).
Thanks pan64, I see where you are coming from. Can you give me one example of such an application/program.
Unfortunately I can't recall it, but I have an example, what I'm talking about.
This is a part of a perl script:
Code:
$iam = (getlogin || getpwuid($<))[0] || &Splat("Error: Unable to determine who you are.\n");
chomp($iam);
....
chomp($ami = `/usr/ucb/whoami`);
if ($iam ne $ami) {
&Splat("Error: You are logged in as $ami not $iam\n");
}
So based on how did you logged on (telnet, ssh, su, sudo, ....), this code may fail. perl uses the standard C functions, and as it is described here: http://fclose.com/p/linux/man/3p-getlogin/ getlogin function shall return ... the user name associated by the login activity with the controlling terminal of the current process - and not the current user.
Some tools check if they were started as root and sometimes they fail because of this behavior.
If you are (foolishly...) in the group that can issue sudo, and if (insanely...) the su command is one that is allowed, then of course you "are root" even if you do not know the login password to the so-named user. Only a security prompt that required you to enter the value of that password would be an obstacle ... and of course, you could merely use your rootly powers to fiddle with the password files.
It is possible, however, to set up a system to use (say...) LDAP authentication for various things, such that the login event and not any subsequent sudo tomfoolery is "the guiding determination," and an external (LDAP) server is the one that ultimately must be persuaded with regard to your prerogatives.
But it does bear repeating: sudo, if you permit it at all, must not permit the su command to be issued using it!
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
Quote:
Originally Posted by smrutimandal
My case is about Solaris 10, but this should be the same for all *nix based OS.
It is actually not the same.
Solaris 10 implements RBAC which allows configuring root as a role and no more as a user. That means direct logins as root are not allowed anymore.
Quote:
I received a proposition to revoke root password from support teams. Can somebody let me know a list of tasks for which, logging-in using the root password is absolutely necessary.
There should be no such tasks on Solaris 10 (outside login in single user mode). This limitation was fixed with Solaris 11.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
