Protected Password Data Base
Connor MacLeod
macleod at cmllab.rgb.sub.org
Tue Apr 9 11:47:07 AEST 1991
In article <328 at secola.Columbia.NCR.COM>
tduncan at secola.Columbia.NCR.COM (Terry S. Duncan) wrote:
| I have recently installed SCO (with relaxed security). I am trying
| to create a user with superuser privilages. Is this possible? I am also
| trying to delete a user (retire is not what I had in mind). Is this possible?
| Where is this "Protected Password Data Base"?
Yep - yep - ...
It's possible for both - a relaxed _and_ a C2 trusted system.
There are four locations where changes have to be made to get a second
superuser or delete an user:
the first two are: (guess) /etc/passwd and /etc/group
(and now for the interesting stuff)
the 3rd place you have to check is the path /tcb/files/auth.
You'll find 26 subdirs there (/tcb/files/auth/a to /tcb/files/auth/z).
You have to check the directory which is similar to the first char of
the users name (root => .../r). You'll find a file for each user whose
name starts with the char of the subdir. All the files here are in charge
for the environment of each user.
The 4th place is /etc/auth/subsystems. The files there are in charge for
the privs of each user.
So...
Let's say you want to create a user called foobar with superuser privs:
use the sysadmsh (or useshell) to create a standard user called foobar.
Then edit /etc/passwd and /etc/group and change the entry for foobar
to match the one from root.
After that chdir to /tcb/files/auth/f and ed the file foobar. Remove
all _after_ the ":u_pwd=........" line and append all from file
/tcb/files/auth/r/root but not the first two lines.
Chdir to /etc/auth/subsystem and check all the files there. Every file
that has an entry for root must have the same entry for foobar, too.
Remove the foobar entry from dflt_users.
That's it.
To remove an user from the system do the following steps:
- remove the users entries from /etc/passwd and /etc/group
- remove the users entries from all files under /etc/auth/subsystems
- remove the file with the same name as the username from the appropriate
subdir under /tcb/files/auth
- remove the users homedir and mailbox (not necessary)
| I think SCO took this security thing a little too far.
It's C2 Trusted... (not SCO - anyway)
BTW: the SLS unx257 has some usefull tools (shell-scripts, I think)
which does this work for you.
After having installed this fix you'll get some warnings when
booting in case you have more than one user with superuser privs.
I think you can ignore them... (I hope so - at least :>)
I hope this is of some help...
Rgds
--
Uwe Obst # {connor|macleod}@cmllab.rgb.sub.org
(aka Connor MacLeod) # "Trust me, I know what I'm doing!" -- Sledge Hammer
More information about the Comp.unix.xenix.sco
mailing list