Tips & techniques for Users of Sunsoft Solaris
One of the primary challenges of system administration is security. As the root or superuser, a system administrator must determine who can have access to the root password in order to complete various administrative tasks. Among these tasks, rebooting and system shutdowns require superuser-level security.
When installing new equipment or applications, you must reboot your system in order for changes in your configuration to take effect. Power outages and regular system maintenance are just two of the many reasons you must shut down a system. Instead of allowing users access to the root password, you can create a user whose only function is to shut down or reboot the system.
In this article, we'll demonstrate how to create a shutdown user with admintool. We'll then show you how to give the shutdown user the same security level as the root user. Finally, we'll write a simple .profile for the shutdown user that will run a system shutdown or a system reboot using the init command.
Before you begin, make sure that you log into your Solaris 2.x system as root to complete the steps shown in this article. If your root login doesn't automatically run OpenWindows, you can execute the command
at the # (pound sign) prompt to manually launch the OpenWindows environment.
To create a new user, launch admintool from the /bin directory. In OpenWindows, you can execute /bin/admintool from the Command Tool window or double-click on the appropriate icon from the File Manager window. Once launched, the Administration Tool window will appear, as shown in Figure A. Select the User Account Manager to open the list of user accounts, as shown in Figure B.
From the User Account Manager window, click the Edit menu button and select Add User… from the menu, as shown in Figure C. This opens the Add User window, as shown in Figure D. The Add User window breaks down into four parts.
The User Identity section of the Add User window asks for the new user's name, ID number, and group name. You'll also find fields you can use for a comment and to set the Login Shell. As a general rule, it's a good idea to complete the Comment field in this section for your own reference. The Login Shell field will be set to the Bourne shell by default. To create a shutdown user, you won't need to change it.
The next section, Account Security, lets you set the new user's password. By default, you set the password when the new user uses the login for the first time. If you wish to set the password before the first login, click the menu button in the Password field to open the Password menu, as shown in Figure E. Select the Normal Password… button to open the Set Password window, as shown in Figure F. In the fields provided, enter the new password twice and press the Apply button to set the password.
In the Account Security section, you'll also find optional fields that allow you to set an expiration limit for the new user's account and password. Depending on your security needs, you can set a time limit for the account password so that it changes on a regular basis. For example, set the Max Change field to 14 and the Warning field to 3 to enable a 14-day limit on any given password and a three-day warning period before a password expires.
The Home Directory fields in the Add User window are fairly self-explanatory. To create a home directory for the shutdown user, check the box in the Create Home Dir field. You should enter the full pathname of the new home directory in the Path field. Enter in the Server field the name of the server on which you'll create the new user. The Skeleton Path field is where the system will look for the skeleton files, such as the user's .profile. Fill in the field with the appropriate path you wish to assign the shutdown user. For simplicity, enter the same path for the Path and Skeleton Path fields.
The AutoHome Setup field and the Permissions field can be filled in as options. If checked, the AutoHome Setup field will create an automount entry in the auto_home database file for the new user. Since we'll be setting permissions for the shutdown user from a command prompt, you can ignore the Permissions fields.
You can also ignore the Mail Server field in the Miscellaneous section, since this user shouldn't receive mail. When you've entered the data for your new user, your Add User window should appear similar to the one in Figure G.
Once you've created the shutdown user, you still need to give it superuser status. To do this, you'll need to edit the /etc/passwd and /etc/group files to set the user ID and group ID to the same values as the root user.
In OpenWindows, launch the Text Editor and open the /etc/passwd file, as shown in Figure H. In the /etc/passwd file, look at the entry for root. The fields in the /etc/passwd file are delimited by a colon (:). The first field in the entry for root is the user's login ID. The next field contains the placeholder for the user's password (x). The next two fields represent the user ID and group ID respectively. Take note of the values for root in these two fields and change the field values for the shutdown entry in the /etc/passwd file to match the ones in the root entry.
When completed, the third and fourth fields for the root and shutdown entries in the /etc/passwd file should be the same. Save the file and exit the Text Editor. By changing these field values, you assign the shutdown user the same access level as the superuser.
When you created the shutdown user, you specified the Skeleton Path in the Home Directory section of the Add User window. In the Skeleton Path directory, you'll need to create a new .profile for the shutdown user. You can copy the default .profile from the /etc/skel file to the Skeleton Path directory for the shutdown user. In our example in Figure G, we used the Skeleton Path /home/shutdown. Use the command
to copy the system default .profile to the shutdown user's Skeleton Path directory.
Now that you have a file to work with, launch the Text Editor in OpenWindows and open the file /home/shutdown/.profile. In the .profile you can write a simple shell script to execute a system shutdown. In Figure I, we've demonstrated how to write a very simple script to reboot your Solaris system.
If you want more functionality from your shutdown user's .profile, you can create a menu to shut down or reboot your system using init commands. Once you've completed your new .profile, save the file and exit the Text Editor. To test your work, exit OpenWindows and return to a system login. Log into the system as shutdown with the appropriate password. Your system should reboot if you used the init 6 command in your .profile.
If your system security is such that giving out your root password is not an option, you can assign specific tasks to user logins. In this article, we demonstrated how to create a user login whose only function is to reboot or shut down the system. We also showed how to give a user login root-level access and how to write a simple .profile for the shutdown user.
[Return to Index for Inside Solaris - June Issue]
Copyright (c) 1995 The Cobb Group, a division of Ziff-Davis Publishing Company. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis
Publishing Company is prohibited. The Cobb Group and The Cobb Group logo are trademarks of
Ziff-Davis Publishing Company.
