root group in solaris

Hi,

I would like to give root user privileges to a set of OS
administrators. Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I
donot want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not
why ? Does the "root" group not have root user-id equivalent
privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID O?

How else can I give these individual users root privileges - make all
of them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC

That's probably not the best way to do it. First, just by adding
people to the root group it doesn't give them root privileges. The
only way to do that would be to make specific binaries sgid/suid.

You should really look at using RBAC or sudo for what you're doing.

With RBAC a user will su to a "role" (a special account) that can (or
may not) have a shared password. That role will have a profile that
will link what binaries can be run suid by that role. Those users will
not have root, they'll just have access to an alternate account that
they have to su to (good for auditing/paper trails.)

On 9/18/06, dubaisans dubai <dubaisans@...> wrote:

Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.

http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@...
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC

I don't recall a way to do what you describe. Realistically, you  
could create a whole bunch of UID=0 accounts for each user, such that  
they have their own credentials - but once they are logged in, they  
could do anything anyway (like change the password you don't want to  
give out in the first place).

Out of interest, why would you discount SUDO? In my experience, it's  
extremely simple to setup if you don't want to do anything too fancy  
and has stood the test of time.
--
Dave Ockwell-Jenner
Solar Nexus Solutions
http://www.solar-nexus.com/

On 18-Sep-06, at 8:50 AM, dubaisans dubai wrote:

Sudo is really the simplest and more robust solution.  Also you can
track log info.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Freeman, Michael
Sent: Monday, September 18, 2006 1:23 PM
To: dubaisans dubai; focus-sun@...
Subject: RE: root group in solaris

Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.

http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@...
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC

Dubaisans,

Nog, fortunately, there is a sharp distinction between user and group
privileges on *nix systems. There are two common approaches for you to grant
your users specific root privileges:
1. Configure sudo and grant users specific privileges they can access using
<sudo COMMAND> (yes, I read that you do not consider this simple, but I
still suggest you to look for a config example -> you're probably ready to
go in no time!)
2. Grant binaries SUID privileges. These privileges will allow non-owners to
execute the binary using the owners credentials. Be aware though, that if
you grant SUID rights to for instance a shell that is owned by root, users
will instantly drop into a root-privileged shell. So be very aware of the
binaries functionality. You might also want to revoke world-execution rights
and configure just group execution rights, in order to make sure only the
authorized people can run the binaries with SU privileges.

Googling on both these solutions (SUDO and SUID), will help you with the
specifics.

good luck!
maarten
> How else can I give these individual users root privileges - make all
> of them UID 0 or something.? Is that a smart idea?

I agree. You can also leverage the 'wheel' group in sudo by first adding
everyone to the 'wheel' group then making a simple rule in your
sudoers.conf file like:

%wheel ALL = (ALL) ALL

This will let anyone in the 'wheel' group to have 'root' sudo
privileges.

-----Original Message-----
From: Fontanez Martin [mailto:Fontanez.Martin@...]
Sent: Monday, September 18, 2006 12:51 PM
To: Freeman, Michael; dubaisans dubai; focus-sun@...
Subject: RE: root group in solaris

Sudo is really the simplest and more robust solution.  Also you can
track log info.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Freeman, Michael
Sent: Monday, September 18, 2006 1:23 PM
To: dubaisans dubai; focus-sun@...
Subject: RE: root group in solaris

Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.

http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@...
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC

>I would like to give root user privileges to a set of OS
>administrators. Everyone has individual user-ids on the system.
>Currently they login with their personal ID and then SU to root. I
>donot want to share root password with these many people.
>
>I am thinking of adding all these users to the "root" group[GID 0].
>Will it provide root-equivalent UID O access to these users. If not
>why ? Does the "root" group not have root user-id equivalent
>privileges?


>Is it possible manually to make the GID 0 privileges equivalant of UID O?

No; you could have easily tested this but it has no effect at all.

>How else can I give these individual users root privileges - make all
>of them UID 0 or something.? Is that a smart idea?
>
>I am looking at something simpler than SUDO or RBAC

Even simpler?

I would still strongly suggest RBAC or sudo as both all your system
administrators to execute programs with appropriate privileges when
needed.  Giving them "root privileges all the time" is a bad idea;
it means that they can no longer safely use their user accounts
for email, web browsing or anything else.

Casper

What???????????????????

1) 'Wheel' is a bsd term/group. He is talking about Solaris. No wheels
here.
You pretty much repeated what he asked, which was to add them to the
root group.

2) From a security point of view: (better to worse)
RBAC type of setup
Sudu type of program
Acl's (used with suid and sgid's)
Sticky bit on the group
Sticky bit on the owner
Adding someone to the root group

Reasons -

RBAC and Sudu's can get you better control and logging. Also limit what
someone can or can not do. You must configure.

Acl's - again, you configure and know what you gave access to.

Sticky bits can be a nightmare for tracking down problems. Log
files...ect would have root as the group/owner. You also need to get
every file. (would be really bad if you sticky bit a directory :) ) I
don't mean every file on the system, but all files need to correctly
admin the system.
You also should use with ACL's to make sure you not opening your system
security to all users)

Adding them to the group - will not give them all the files. If I
remember correctly, a lot of the files do not have root as the group
owner. (some have sys, bin, lp   ...ect)

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Freeman, Michael
Sent: Monday, September 18, 2006 1:23 PM
To: dubaisans dubai; focus-sun@...
Subject: RE: root group in solaris

Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.

http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html 

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@...
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

And you might add a second bit to the line suggested below

    %wheel     ALL = (ALL) ALL, ! /usr/bin/su -

This should prevent someone from explicitly executing "sudo su -"

Of course, someone with sudo rights to ALL like this can easily get
around not being able to "sudo su -" in a dozen ways (like "sudo
/bin/ksh", etc.).

But the error message that comes back acts as a gentle reminder to be a
good citizen and not do things like that.

I recently found this well-written overview of how a user should think
about sudo (and not resent having to type "sudo" in front of everything)
https://cs.stanford.edu/doc/Systems/PrivilegedAccessPolicy


Freeman, Michael wrote on 9/18/2006 1:59 PM:

On Mon, 18 Sep 2006, dubaisans dubai wrote:

Hi there -

What is the issue you are having with RBAC? It is included
by default in Solaris, many things like SSH are RBAC aware,
it is logged & audited.

If you're running solaris 10 or newer, you can also use
least priveleges to limit what each operator can do.

Valerie
--
Now appearing as Gloria Rasputin and various other characters in
    "Bye Bye Birdie" at SDG http://www.saratogadramagroup.com/
          Sept 23 - Oct 14. Tickets: (408) 266-4734

Hi,

   I absolutely agree that RBAC is the BEST option
   all you have to do is to change type of user for
   root from normal to a role (/etc/use_attr).
   Then `usermod -R root username`.
cheers


--- Valerie Anne Bubb <Valerie.Bubb@...> wrote:


Noel Z. Del Rosario


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

Hi,

 > I am thinking of adding all these users to the "root" group[GID 0].
 > Will it provide root-equivalent UID O access to these users. If not
 > why ? Does the "root" group not have root user-id equivalent
 > privileges?

As others have pointed out, setting GUID to 0 does not make user
root-equivalent. It is just another group, absolutely nothing special
from kernel's point of view.

> Is it possible manually to make the GID 0 privileges equivalant of UID O?

I don't think so.

> How else can I give these individual users root privileges - make all
> of them UID 0 or something?

Yes, you can assign UID 0 to users. Attributes of a user account
(username, homedir, etc) only matter on the user-level, kernel only
cares about UID/GID.

> Is that a smart idea?

People do it sometimes, but it is not a common practice. Personally, I
would go for sudo.

Regards,
Alex

This is very kludgy, but may be what your looking for.

slap together an interactive script which opens to a menu of choices.

as example - 1) change users password
                2) Run UFS Level 0 dump on /
                etc...

Then create a userid that is 0, make the password of this user different than
the root user, and ensure that the script you created above is the login shell
(the last parameter of the /etc/passwd entry).

At 02:50 AM 9/18/2006, dubaisans dubai wrote:

Salut,

On Mon, 2006-09-18 at 15:43 -0400, Curt Tucker wrote:
> Of course, someone with sudo rights to ALL like this can easily get
> around not being able to "sudo su -" in a dozen ways (like "sudo
> /bin/ksh", etc.).

You tend to forget about the builtin sudo -s

Also, what about sudo visudo or sudo vi /etc/sudoers? One could easily
get around this restriction that way too.

There is no way to protect yourself from root privileges except by
limiting the code that may be executed (e.g. via a setuid binary or by
limiting the executable system calls).

                                Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard@...

sudo -s opens a root level shell that can be used to issue multiple
commands.  If running in a gui, the admin could even have more than one
shell open and use the root and non-root shells simultaneously for
appropriate commands.  That's pretty simple and requires knowledge of only
the user's own password.  The only command logged is the command to spawn
the shell, not the commands issued in that shell, unlike the audit trail
that could be kept if commands were issued separately prefixed with sudo.

sudo without the -s option issues a new password challenge when the last
challenge is five minutes old to prevent someone from using a root shell
when an admin steps away without locking his account....not a bad idea.
Can you set the inactivity time limit for sudo?



                                                                           
             Casper.Dik@...                                            
             M                                                            
             Sent by:                                                   To
             listbounce@securi         dubaisans dubai                    
             tyfocus.com               <dubaisans@...>              
                                                                        cc
                                       focus-sun@...        
             09/18/2006 02:07                                      Subject
             PM                        Re: root group in solaris          
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





>I would like to give root user privileges to a set of OS
>administrators. Everyone has individual user-ids on the system.
>Currently they login with their personal ID and then SU to root. I
>donot want to share root password with these many people.
>
>I am thinking of adding all these users to the "root" group[GID 0].
>Will it provide root-equivalent UID O access to these users. If not
>why ? Does the "root" group not have root user-id equivalent
>privileges?


>Is it possible manually to make the GID 0 privileges equivalant of UID O?

No; you could have easily tested this but it has no effect at all.

>How else can I give these individual users root privileges - make all
>of them UID 0 or something.? Is that a smart idea?
>
>I am looking at something simpler than SUDO or RBAC

Even simpler?

I would still strongly suggest RBAC or sudo as both all your system
administrators to execute programs with appropriate privileges when
needed.  Giving them "root privileges all the time" is a bad idea;
it means that they can no longer safely use their user accounts
for email, web browsing or anything else.

Casper

listbounce@... wrote on 18/09/2006 23:42:24:

[setting UID of non-root users to 0 to let them run root commands]
> > Is that a smart idea?

> People do it sometimes, but it is not a common practice. Personally, I
> would go for sudo.

I see it as being equivalent to sticking a screwdriver in an unshielded
mains socket.  Occasionally there's a sensible reason to do it but it's
not usually a good idea and you want to be careful when you do.  I'd used
RBAC or sudo.

The only time I recall setting the UID of a user to 0 was when we'd had a
run of problems with a particular group of contractors changing the root
password on a box (due to the nature of the work they were doing on it
they had to have root access and the project manager insisted they be
given the root password rather than just use another user and sudo) and
not telling us the password (when we asked for the new password their
immediate response was along the lines of "Just tell us what you want done
and we'll do it." [for an hourly rate of...]).  One time when we had root
access I created a user with UID 0 so when they changed the password we
could log in as a user who could change root's password back to what it
should be.  A political problem, root [sic] cause dumb project manager,
rather than a technical one.

Stephen


***********************************************************************
The information contained in this e-mail (and any attachment) is confidential and may be privileged. It is intended only for the named recipient or entity to whom it is addressed. If you are not the intended recipient, please notify the sender and delete the e-mail immediately. The contents of this e-mail must not be disclosed, printed or copied without the sender's consent.

Any e-mail including its content may be monitored and used by Service Birmingham Ltd for reasons of security and for monitoring internal compliance with Security Policy.

Although Service Birmingham Ltd have made every reasonable effort to ensure that this message or any attachment is virus free or has not been intercepted and amended this cannot be guaranteed.
***********************************************************************

"dubaisans dubai" <dubaisans@...> wrote:
Group ID 0 has no significance in any Unix-like system (Solaris, Linux,
...).  If you look in the manuals, the raised privileges belong to a
process with (effective) UID of 0 - root.  (If you ever used the Zilog
Zeus operating system - say 20 years ago - then the super-user there was
not 'root' but 'zeus' - kind of appropriate, really - but it was zeus who
had UID of 0.)  The POSIX specification always talks about 'appropriate
privileges' but it is usually translated as 'root privileges' (and that
means 'EUID = 0').

If you prefer, you can create multiple user names each allocated the user
ID of 0 and a separate password.  Just make sure 'root' is listed first in
the password file.  This is a widely used technique (in the companies
where I've worked, anyway).  Just remember that the processs accounting
system won't be able to distinguish these users from each other - their
processes will all look as if they were run by root.

root:x:0:0:Root:/:/bin/ksh
admin1:x:0:0:First Administator:/root:/bin/ksh
admin2:x:0:0:Second Administrator:/root:/bin/ksh
...

Using 'sudo' has advantages - it can log when people start working as
root.

--
Jonathan Leffler (jleffler@...)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921     Tie-Line: 630-6921
          "I don't suffer from insanity; I enjoy every minute of it!"

Hi :

Is there a command or program which allows me to update my Solaris OS?

I have servers running solaris 8,9 and 10.

Thanks
Alex

Hi,

> Is there a command or program which allows me to update my Solaris OS?
>
> I have servers running solaris 8,9 and 10.

As far as I know the recommended way of updating Solaris is by
installing patch clusters. You can also install individual patches.
Visit sunsolve.sun.com.

Best Regards,
Grzegorz Kaczor