Unix administration

Author

history

Régine DESSOUBRET

2004-02-15, 6:34 am

Hello,
I work on Solaris and on theses hosts everybody is root. So when when you
use the history to call back your commands, sometime you have commands of
other people, with the problem that you can do great damage if, by exemple,
somebody delete his files in his own directory and that you send the same
command on / .

I have done it on Hpux hosts before but it was far in time .
It must be easy because on our hosts, nobody became root at the first
connection, you must su to become root from your ordinary user.

Thank's for the help.

GR.

--
grdessoub@noos.fr

Jeff Schwab

2004-02-15, 7:34 am

Régine DESSOUBRET wrote:
> Hello,
> I work on Solaris and on theses hosts everybody is root. So when when you
> use the history to call back your commands, sometime you have commands of
> other people, with the problem that you can do great damage if, by exemple,
> somebody delete his files in his own directory and that you send the same
> command on / .
>
> I have done it on Hpux hosts before but it was far in time .
> It must be easy because on our hosts, nobody became root at the first
> connection, you must su to become root from your ordinary user.

Ah... Was there a question in there? What are you trying to do?

Anyway, the "everybody's root" policy sounds a little like saying "Let's
all go hunting at the same spot in the woods; nobody bother wearing that
bright orange stuff." Try sudo, or one of these:

http://www.courtesan.com/sudo/other.html

Dave Hinz

2004-02-15, 7:34 am

On Sun, 15 Feb 2004 21:06:27 +0100, Régine DESSOUBRET <grdessoub@noos.fr> wrote:
> Hello,
> I work on Solaris and on theses hosts everybody is root.

That's horribly insecure, as I'm sure you know. No accountability for
who has done what; just asking for trouble.

> So when when you
> use the history to call back your commands, sometime you have commands of
> other people, with the problem that you can do great damage if, by exemple,
> somebody delete his files in his own directory and that you send the same
> command on / .

Yes. You should consider installing "sudo", which will allow you to
define specifically what each person is allowed to run as root. You
can then see the logs to see what each of them has done and when, in
case one of these situations comes up.

> I have done it on Hpux hosts before but it was far in time .
> It must be easy because on our hosts, nobody became root at the first
> connection, you must su to become root from your ordinary user.

Well, at least that much of it is set up well (no remote root logins),
but sudo will give you the control and accountability that is needed.
It also has the benefit that you don't have to distribute the root
password to anyone.

Dave Hinz

Rodrick Brown

2004-02-16, 12:33 am

You should really stay away from 3rd party applications if possible. sudo is
very easy to setup but Solaris has a much more powerfull utility called RBAC
"role based access control" which is integrated into the solaris system and
it gives administrators are more flexibily approch to granting users who
need root like access. man rbac for more info.

one reason I recommened avoid 3rd party tools is because 1) sudo is setuid
and any bugs or exploits in sudo can go unnoticed because its not part of
the Sun Solaris patch clusters which keep your system up to date and often
goes over looked.

Just a tip.

- RB

"Dave Hinz" <davehinz@spamcop.net> wrote in message
news:c0omch$197usl$1@ID-134476.news.uni-berlin.de...
> On Sun, 15 Feb 2004 21:06:27 +0100, Régine DESSOUBRET <grdessoub@noos.fr>
wrote:
>
> That's horribly insecure, as I'm sure you know. No accountability for
> who has done what; just asking for trouble.
>
of[color=blue]
exemple,[color=blue]
same[color=blue]
>
> Yes. You should consider installing "sudo", which will allow you to
> define specifically what each person is allowed to run as root. You
> can then see the logs to see what each of them has done and when, in
> case one of these situations comes up.
>
>
> Well, at least that much of it is set up well (no remote root logins),
> but sudo will give you the control and accountability that is needed.
> It also has the benefit that you don't have to distribute the root
> password to anyone.
>
> Dave Hinz
>

bishop@speakeasy.net

2004-02-17, 8:34 am

Rodrick Brown <rbrown@[remove]doitt.nyc.gov> wrote:
> You should really stay away from 3rd party applications if possible.

Dubious advice, IMO.

> sudo is very easy to setup

.... and is in wide use on many systems, not just Solaris.

> but Solaris has a much more powerfull utility called RBAC

Not only on Solaris; but yes, Solaris does implement it.

> one reason I recommened avoid 3rd party tools is because 1) sudo is setuid
> and any bugs or exploits in sudo can go unnoticed because its not part of
> the Sun Solaris patch clusters which keep your system up to date and often
> goes over looked.

Part of one's job as a Unix admin is maintaining all of the
applications on one's system, not just the OS. Your OS cannot do
everything, and sometimes third-party tools can do things better.

RBAC is appropriate for larger organizations with a central authority
handling computer access permissions. However, its logging capabilities
are not as robust as sudo, and it is more difficult to configure, with
less versatility when it comes to being able to delegate the use of
specific commands.

Sudo is more appropriate for small organizations, or ones where
administrative rights are locally or individually controlled. It can be
easily configured and set up without Sun's GUI, and has been around long
enough to be considered reasonably secure even without being integrated
into the OS the way RBAC is.

Remember: Pick the right tool for the job. In some environments that
will be sudo, in some it will be RBAC.

But I do agree that handing out the root password to a group of people
is the wrong answer!

-Ed

Stephen Hooper

2004-02-17, 1:33 pm

On Sun, 15 Feb 2004 21:06:27 +0100, Régine DESSOUBRET wrote:

> Hello,
> I work on Solaris and on theses hosts everybody is root. So when when you
> use the history to call back your commands, sometime you have commands of
> other people, with the problem that you can do great damage if, by exemple,
> somebody delete his files in his own directory and that you send the same
> command on / .
>

If what you are looking for is stop the shell from keeping a history file,
then you could try putting one of the following in the root .profile or
..cshrc:

bash (keeps history, but not between sessions):
HISTFILE=""

POSIX shells: (doesn't keep any history at all)
HISTSIZE=0

C shells (keeps history, but not between sessions):
set savehist=0

I think one of those should be near to what you are looking for. As far
as I know the default root shell that comes with Solaris has no history
feature.

Also, I am not too sure about the C shell, as I don't use it very often.

Also, I would echo the sentiments of others who have told you to
try and use sudo, or something equivalent. It is silly to give everyone
root.

If that isn't helpful... sorry. As others have stated there is really no
question in your post, which makes it hard to understand what it is
regarding.

Dave Hinz

2004-02-23, 11:33 pm

On Mon, 16 Feb 2004 13:34:53 GMT, Rodrick Brown <rbrown@[> wrote:
> You should really stay away from 3rd party applications if possible. sudo is
> very easy to setup but Solaris has a much more powerfull utility called RBAC
> "role based access control" which is integrated into the solaris system and
> it gives administrators are more flexibily approch to granting users who
> need root like access. man rbac for more info.

OK, but it's only for Solaris, right? Limits portability, which in a
multi-platform shop is a severe disadvantage for a tool.

> one reason I recommened avoid 3rd party tools is because

Awfully broad brush you're painting tools with, assuming all third-party
tools are equal...

> 1) sudo is setuid
> and any bugs or exploits in sudo can go unnoticed because its not part of
> the Sun Solaris patch clusters which keep your system up to date and often
> goes over looked.

Only if you're in the habit of ignoring security updates for all of your
system, not just what came on the installation CD, I suppose.

Dave Hinz

shoe

2004-02-24, 2:34 am

A list of things to do:

1) Get management buy in on restricting root access (or find a new job.)
2) back up every thing.
3) reload the O/S - you don't know what you've got now. Anybody could
have made an unintentional mistake and you could be on the path to
destruction!
a) A easier way to do this is to purchase another boot disk and load
the new O/S on the new disk after pulling the current disk out.
b) This will allow you to put the old O/S disk back in, mount it and
look at it, as even the best SA is going to miss something in this
situation.
4) Use sudo and groups to allow access so people can accomplish their
jobs. You will also need to start some user training on the safe
way to use Unix.

Also sudo has been around for a long time. I have used it without any
issues. Just make sure you apply upgrades when they become available.
As for Sun's product being better. Well if Sun (or any vendor, third
party, Open Source, etc) has software that never needs patching get
that instead.

Rodrick Brown wrote:

> You should really stay away from 3rd party applications if possible. sudo is
> very easy to setup but Solaris has a much more powerfull utility called RBAC
> "role based access control" which is integrated into the solaris system and
> it gives administrators are more flexibily approch to granting users who
> need root like access. man rbac for more info.
>
> one reason I recommened avoid 3rd party tools is because 1) sudo is setuid
> and any bugs or exploits in sudo can go unnoticed because its not part of
> the Sun Solaris patch clusters which keep your system up to date and often
> goes over looked.
>
> Just a tip.
>
> - RB
>
> "Dave Hinz" <davehinz@spamcop.net> wrote in message
> news:c0omch$197usl$1@ID-134476.news.uni-berlin.de...
>
>
> wrote:
>
>
> of
>
>
> exemple,
>
>
> same
>
>
>
>