Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!ira.uka.de!smurf!cmllab!macleod From: macleod@cmllab.rgb.sub.org (Connor MacLeod) Newsgroups: comp.unix.xenix.sco Subject: Re: Protected Password Data Base Message-ID: <1991Apr09.014707.3302@cmllab.rgb.sub.org> Date: 9 Apr 91 01:47:07 GMT References: <328@secola.Columbia.NCR.COM> Organization: The Connor MacLeod Laboratories, Regensburg, West-Germany Lines: 65 In article <328@secola.Columbia.NCR.COM> tduncan@secola.Columbia.NCR.COM (Terry S. Duncan) wrote: | I have recently installed SCO (with relaxed security). I am trying | to create a user with superuser privilages. Is this possible? I am also | trying to delete a user (retire is not what I had in mind). Is this possible? | Where is this "Protected Password Data Base"? Yep - yep - ... It's possible for both - a relaxed _and_ a C2 trusted system. There are four locations where changes have to be made to get a second superuser or delete an user: the first two are: (guess) /etc/passwd and /etc/group (and now for the interesting stuff) the 3rd place you have to check is the path /tcb/files/auth. You'll find 26 subdirs there (/tcb/files/auth/a to /tcb/files/auth/z). You have to check the directory which is similar to the first char of the users name (root => .../r). You'll find a file for each user whose name starts with the char of the subdir. All the files here are in charge for the environment of each user. The 4th place is /etc/auth/subsystems. The files there are in charge for the privs of each user. So... Let's say you want to create a user called foobar with superuser privs: use the sysadmsh (or useshell) to create a standard user called foobar. Then edit /etc/passwd and /etc/group and change the entry for foobar to match the one from root. After that chdir to /tcb/files/auth/f and ed the file foobar. Remove all _after_ the ":u_pwd=........" line and append all from file /tcb/files/auth/r/root but not the first two lines. Chdir to /etc/auth/subsystem and check all the files there. Every file that has an entry for root must have the same entry for foobar, too. Remove the foobar entry from dflt_users. That's it. To remove an user from the system do the following steps: - remove the users entries from /etc/passwd and /etc/group - remove the users entries from all files under /etc/auth/subsystems - remove the file with the same name as the username from the appropriate subdir under /tcb/files/auth - remove the users homedir and mailbox (not necessary) | I think SCO took this security thing a little too far. It's C2 Trusted... (not SCO - anyway) BTW: the SLS unx257 has some usefull tools (shell-scripts, I think) which does this work for you. After having installed this fix you'll get some warnings when booting in case you have more than one user with superuser privs. I think you can ignore them... (I hope so - at least :>) I hope this is of some help... Rgds -- Uwe Obst # {connor|macleod}@cmllab.rgb.sub.org (aka Connor MacLeod) # "Trust me, I know what I'm doing!" -- Sledge Hammer