0

I have an HP-UX server where I need to create a special user account for an application to interact with, and this account must have full root privileges. Sudo is not an option in this. The only thing I can think of is to assign the account UID 0. Would this work to make the account functionally root? Is there some better way to do this without using sudo?

Kefka
  • 196
  • 1
  • 8
  • what's the problem with using sudo ? – user9517 Dec 05 '17 at 17:51
  • Because the application that's needing the account can't use it. I don't know why. – Kefka Dec 05 '17 at 18:14
  • 2
    Why would the application need to use it? The person or script that starts the application uses it. –  Dec 05 '17 at 21:08
  • Because it's a remote application that will be connecting to the server in question using the credentials of the account I'm making. – Kefka Dec 05 '17 at 21:51

3 Answers3

3

Creating another account with uid 0 can lead to confusing, possibly broken behavior.

I would be reluctant to run any account that can't be run via sudo or setuid.

There are any number of ways use sudo when a system connects to an account such as:

  • Using ssh, it is possible to specify a script to run on connect.
  • Using the profile to run sudo on starting an interactive session.
  • Use a wrapper script to elevate privilege before running the request.

I have run various backup routines that need to root access to access all the files. They all connected with restricted access, usually via a non-root account.

sudo can be configured to run commands without requiring a password. It should be simple to create a wrapper script the elevates to root access via sudo and runs the required command.

Programs with the setuid bit set run as the user that owns them. This is generally more secure unless the program allows access to an unrestricted shell.

BillThor
  • 27,737
  • 3
  • 37
  • 69
1

I would not recommend trying to assign UID 0 to another account. The system needs to have 1 root user.

Using sudo to run commands without a password is an option (personally, I'm not comfortable with code that must be run as root; but you have it so let's be realistic.) Some caveats for this:

  1. In your /etc/sudoers file, make sure the NOPASSWORD option is the last line for that user. In reading sudoers the last line will override previous ones.

  2. Specify the absolute path for the director(ies) you need for this user.

  3. In /etc/sudoers include Defaults env_reset to reset the environment to default variables.

/etc/sudoers:

...
##
Defaults env_reset
...
##
app_user ALL=NOPASSWORD : /path/to/application, /usr/bin/su - root
...

(Change the path to su to match your HP-UX location.)

It's been a while since I used HP-UX, so please verify the formatting with what's in your /etc/sudoers file now.

Mika Wolf
  • 169
  • 3
0

You cannot assign another account UID 0 without breaking everything.

As is pointed out by Rich Homolka in a comment, there's code in the kernel which explicitly checks for uid 0 when needing to check for the root user, which means that root always has at least uid 0.

https://superuser.com/questions/626843/does-the-root-account-always-have-uid-gid-0

Also, I hope that you're not using this server for anything else, because giving an application full root privileges without restricting it via sudo at the bare minimum is very dangerous. Especially an application that is connecting over the network, as you say.

zymhan
  • 1,371
  • 1
  • 17
  • 30
  • "You cannot assign another account UID 0 without breaking everything." Are you certain about this? Because as indicated in the thread you posted, and as a default setting on my home freebsd server that I just looked at to confirm, two UID 0 accounts can exist side by side. I'm not suggesting getting rid of root. Just also assigning a new account UID 0, to make it root in all but name. And yes, I know sudo would absolutely be preferable in this case. But I require an account that acts like root without being the actual named root account, and can't use sudo to do this. So here I am. – Kefka Dec 05 '17 at 23:59
  • 1
    And also, this is specifically HP-UX, while the comment you're referring to is talking about Linux. So the code he's talking about may not even exist. – Kefka Dec 06 '17 at 00:06