Professional Web Applications Themes

root user specific commands - Linux / Unix Administration

In Unix, many of the commands are specific to ROOT(admin) User, for example "useradd" lets say.. Even though, the permissions for others (using chmod) can be changed so that this particular command be executed from other users, you would not be able to successfully execute the command.. Ex: [deepaknis_server deepak]$ ls -l /usr/sbin/useradd -rwxr-xr-x 1 root root 52168 Mar 28 2002 /usr/sbin/useradd [deepaknis_server deepak]$ useradd hello useradd: unable to lock password file Can you perform a single step operation ( from the Admin user login) such that these commands (let's start with useradd) be able to be successfully executed from ...

  1. #1

    Default root user specific commands

    In Unix, many of the commands are specific to ROOT(admin) User, for
    example "useradd" lets say..

    Even though, the permissions for others (using chmod) can be changed so
    that this particular command be executed from other users, you would
    not be able to successfully execute the command..

    Ex:

    [deepaknis_server deepak]$ ls -l /usr/sbin/useradd
    -rwxr-xr-x 1 root root 52168 Mar 28 2002
    /usr/sbin/useradd
    [deepaknis_server deepak]$ useradd hello
    useradd: unable to lock password file

    Can you perform a single step operation ( from the Admin user login)
    such that these commands (let's start with useradd) be able to be
    successfully executed from any other user ??

    v4vijayakumar@yahoo.com Guest

  2. #2

    Default Re: root user specific commands

    On 11 Apr 2006 05:12:14 -0700, com <com> wrote:
     

    Why would you want to do such a thing? Is this a hypothetical and/or
    homework question, or are you trying to actually do something specific?
    Because if the latter, what's your actual goal so we can help you find
    the right way to do it. Letting Joe User create user accounts isn't
    it.

    Dave Guest

  3. #3

    Default Re: root user specific commands

    The Answer lies in a Concept of setuid (set user id). This shall enable
    any normal user the privilege access of the specified admin related
    commands



    As all you must be aware that for any file the following are the
    Permission set

    -rwxr-xr-x

    The position of these Bits represent the following :-

    1st bit : Device (Character, Block, Network, directory or plain file)

    Next 3 bits : Read Write Execute for User and then the next 3 for Group
    and then for Others.



    Apart from these, there are a few other notations which is possible :-

    4th Bit : "s" - This represent the UID bit .

    7th Bit : "S" - This represent the GID bit.

    10th Bit : "t" - Sticky bit



    How do you set these ???

    Using chmod command :-

    chmod X777 <filename>



    In case of X, we have to give , 4- UID, 2 - GID, 1-Sticky bit





    Now update on setUID bit :-

    Setuid on executables
    When a binary executable file owned by root has been given the setuid
    attribute, normal users on the system can execute this file and gain
    root privileges within the created process. When root privileges have
    been gained within the process, the application can then perform tasks
    on the system that regular users normally would be restricted from
    doing.

    While the setuid feature is very useful in many cases, it can however
    pose a security risk if the setuid attribute is assigned to executable
    programs that are not carefully designed. Users can exploit
    vulnerabilities in flawed programs to gain permanent elevated
    privileges, or unintentionally execute a trojan horse program

    prasanna.giga@gmail.com Guest

  4. #4

    Default Re: root user specific commands

    com wrote: 

    Conceptually - Before you get told how to do it you need to
    be qualified to do it. Once you can explain why you're setting
    yourself up for trouble, what kind of trouble you'll be getting
    yourself into, and how to handle those troubles, then you will
    be qualified to actually use the answer.

    It's a chicken-and-egg issue. You need to know why it's a
    bad idea before you should know how to do it. If all I did was
    tell you the names of the commands you could use, it would
    be like pulling the pin on a hand grenade and handing it to
    you.

    So, why do you wish to risk your entire network by doing this
    and how do you expect to control those risks? Keeping the
    useradd command in specific for root use is the first strategy
    to limit the risks.

    Doug Guest

  5. #5

    Default Re: root user specific commands

    <com> wrote: 

    This is an incorrect way to describe unix permissions. Instead say, "many
    commands are executable only by root", and "many commands do things that
    only root can do".
     

    Right. Permission to run the program and permission to perform the operations
    that the program does are separate.
     

    Ok, useradd is executable by any user.
     

    But non-root users are disallowed from operations that useradd attempts to
    perform, like writing to the password file.
     

    The set-user-id bit on the executable exists to address this, but unless you
    know what you're doing, it's a VERY bad idea to change it. You _WILL_ open up
    big security holes if you aren't extremely careful.
    --
    Mark Rafn net <http://www.dagon.net/>
    Mark Guest

  6. #6

    Default Re: root user specific commands

    In comp.unix.admin com: 

    [..]
     

    visudo

    A start would be 'man -k sudo', install sudo if you don't have
    it, works on almost any unix and is the common way to do such
    things, before you start tampering with SUID and open up security
    problems. In addition sudo provides useful logging of actions.

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 300: Digital Manipulator exceeding velocity
    parameters
    Michael Guest

Similar Threads

  1. How to set the path for user root
    By Unix in forum Linux / Unix Administration
    Replies: 5
    Last Post: May 18th, 07:53 PM
  2. SUDO : how to authorize all Unix commands but just for a specific directory
    By kona_iron@yahoo.fr in forum Linux / Unix Administration
    Replies: 3
    Last Post: March 3rd, 07:34 AM
  3. Replies: 0
    Last Post: February 15th, 09:25 PM
  4. root equivalent user
    By Ed in forum Linux Setup, Configuration & Administration
    Replies: 17
    Last Post: August 7th, 02:29 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139