Re: recover root password
On Wed, 16 Apr 2008, Patrick Spinler wrote: Hi, Malcolm Beattie wrote: | | Quick plug: I'll be covering Linux native tools for auditing | (auditd/auditctl), accounting (acct/sa) and other things beginning | with A[1] in my technical session at the z Tech Conference in | Dresden next month. | | There are trade-offs involved in enabling such things but if you | really want to audit everything root does, you can. | Looked at these. Just wished there was an easy and obvious way to send audit records to syslog, and thus off-node. The obvious reason you do not want this is that syslog is not reliable and you can possibly lose audit records. Further they won't be encrypted and in plaintext on the wire. Last you wouldn't even know if anyone had tampered with them when you received them on the destination. Spoofing UDP can be really easy. If you want to remote audit records for postprocessing or keeping them around, either do it batched as in log shipping with in secure and realiable way or use an encrypted reliable transport stream with spooling to handle times when the receiver is not available/reachable, etc... /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
This is one of the problems I've had learning Linux: There are Linux defaults, and then there are different defaults created by the various distributions, and it's hard to tell which are which. Linux is a single operating system that never acts the same from machine to machine (much like Windows, but for different reasons). -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 4/15/08 4:20 PM, John Summerfield [EMAIL PROTECTED] wrote: RPN01 wrote: By default, sudo expects root's password. That is not what the man page says, It _is_ the way SUSE configures it. -- Cheers John -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
The root of this problem is that Linux is only the kernel. Red Hat, SuSE, etc. are distributions that package the Linux kernel with various utilities (mostly GNU). Since they do their own compiling and configuration of the utilities some of the defaults are different. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of RPN01 Sent: Wednesday, April 16, 2008 5:27 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password This is one of the problems I've had learning Linux: There are Linux defaults, and then there are different defaults created by the various distributions, and it's hard to tell which are which. Linux is a single operating system that never acts the same from machine to machine (much like Windows, but for different reasons). -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 4/15/08 4:20 PM, John Summerfield [EMAIL PROTECTED] wrote: RPN01 wrote: By default, sudo expects root's password. That is not what the man page says, It _is_ the way SUSE configures it. -- Cheers John -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 __ CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Malcolm Beattie wrote: | | Quick plug: I'll be covering Linux native tools for auditing | (auditd/auditctl), accounting (acct/sa) and other things beginning | with A[1] in my technical session at the z Tech Conference in | Dresden next month. | | There are trade-offs involved in enabling such things but if you | really want to audit everything root does, you can. | Looked at these. Just wished there was an easy and obvious way to send audit records to syslog, and thus off-node. As far as I can tell from the man pages, though, while auditd will report it's own operational errors to syslog, there's no option to write audit records there. Yes, I know, it stores them by default in binary format. Yes, I know it's possible to whip up some post processing script to do what I want. ~ Unfortunately, such hacked together solutions are never as clean as properly coded application support ... This is one specific function where Solaris already has it: http://docs.sun.com/app/docs/doc/816-5175/audit-syslog-5?a=view - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBqTtNObCqA8uBswRAs6RAKCYv7hJ99gkjrwC0RNTMCL5bUTE3ACfV/OZ MBPvugy+Y8wAO0rsguYTcRg= =hldL -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield [EMAIL PROTECTED] wrote: Until the vendors change their approach, administrators are going to be working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? I consider the default setup maybe the easiest way to get started, but not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. Yet, there is another alternative if you are not running on the lastest kernel/patchlevel and need to fix that NOW without a maintenance window. Find a non-harmfull exploit;-) The drawback is that you would want to fix that afterwards but that's what the maintenance window is for... /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 11:33 AM, Bjoern A. Zeeb [EMAIL PROTECTED] wrote: So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The difference is in having a local console, so Intel distributions that provide this depend on physical access control (or how they wire up the local console into some network gear). But Linux virtual machines on z/VM do not have a console that is attractive to use for repairing the system. So existing solutions end up doing some rescue system that will have a network to let you ssh into the system. I have some concerns using real network IP address etc for that. We've been talking about virtual console switches, but I think it would be overkill considering the other options we already have. More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Rob -- Rob van der Heij Velocity Software GmbH http://velocitysoftware.com/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
-Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of John Summerfield Sent: Monday, April 14, 2008 5:34 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password [snip] Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. Until the vendors change their approach, administrators are going to be working that way. That can be fixed by the administrator using visudo to change /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream why did that CHANGE if the vendor does it. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. -- Cheers -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
another option to recover a root password on recent Linux on Z distros is to supply a replacement init on boot up - like so: zIPL v1.6.0 interactive boot menu 0. default (ipl) 1. ipl 2. Failsafe Note: VM users please use '#cp vi vmsg number kernel-parameters' Please choose (default will boot in 10 seconds): #cp vi vmsg 1 init=/bin/bash Linux will start a bash shell instead of the regular init process, you just have to remount your root filesystem in RW mode like so: mount / -o remount,rw and then you can change the root password as needed - or do any other maintenance you want. This trick would probably have helped with the broken CA esm for linux, too, but It didn't occur to me at the time. This also works on PC versions of Linux if no one has set a grub bootloader password. Yet another example of Physical access trumps all security settings, eventually -- Jay Brenneman -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because It's always been done that way. But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the I have to have root! model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that It comes that way, so it should stay that way. That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say You've got to improve security! You have to have accountability! So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 4/14/08 5:34 PM, John Summerfield [EMAIL PROTECTED] wrote: RPN01 wrote: Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Until the vendors change their approach, administrators are going to be working that way. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 3:56 PM, RPN01 [EMAIL PROTECTED] wrote: RedHat and SuSE expect administrators to use the root account because It's always been done that way. But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. We found the there is no root password was much more acceptable to the developers. Too often a response like you cannot have it made them come back later complaining this was the reason their project was late, with a big badge joining them to twist our arms. Actually, our users did not have passwords either. We relied entirely on cryptic keys via SSH and LDAP. Most harmful things can be done with sudo as well (we even controlled it by LDAP rather than passwords). And you could always run a shell under sudo, but it would reveal who was inside. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, 2008-04-15 at 08:56 -0500, RPN01 wrote: Anyone willing to bet a coke on it? Never touch the stuff. While I take your point about staying out of root insofar as possible, there are other ways to compartmentalize our systems: virtualization, r/o filesystems in dedicated partitions, chroots, FBSD-style jails, xBSD-style securelevels all come to mind. We can mitigate the situation when vendors force us to use root. (Is there a s390[x] implementation of selinux? Just wondering. I don't even know how to *capitalize* selinux.) -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
(Is there a s390[x] implementation of selinux? Just wondering. I don't even know how to *capitalize* selinux.) Yes. Both major vendors and Debian ship it loaded, but with SELinux functions turned off or warn-only due to the massive impact of how it changes the behavior of the system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 writes: To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with A[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. -- Malcolm Beattie System z SWG/STG, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Even though I don't do Linux work...I agree with Robert here. Now, it would be a nice feature on the Linux installs, I would imagine, if RH and Novell and others made it easy to set this up as the install was running. At least as far as setting up one admin account/password etc. Kevin -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Tuesday, April 15, 2008 9:56 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because It's always been done that way. But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the I have to have root! model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that It comes that way, so it should stay that way. That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say You've got to improve security! You have to have accountability! So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 4/14/08 5:34 PM, John Summerfield [EMAIL PROTECTED] wrote: RPN01 wrote: Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Until the vendors change their approach, administrators are going to be working that way. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Bob Nix wrote: Anyone sticking to the I have to have root! model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. The are also living in the Dark Ages. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. It is heartwarming, after a fashion, to see this discussion. I forget: When did we introduce LOGON BY to z/VM? The requirement for accountability is not driven by law, but by Good Business Practices, with an eye towards long-term survival. (The fact that we had to have laws to tell people that they must use Good Business Practices speaks volumes about our society and its [lack of] values. :-( ) One of the reasons the mainframes have endured for so long is because, I believe, its purchasers' continued adherence to rigid change control practices. Time is money. So if you screw up a change, you cost us money. This was all before S-O Co. Give someone root authority, but make them say Give me root authority. Here are my credentials. If you'll check your e-clipboard, you'll that I'm On The List. (Of course, not REALLY root authority. E.g. no ability to grant root to someone else or to turn off security subsystems, auditing, etc. Dinosaurs can cause serious injury or death is not the only message to take from the movie Jurassic Park.) If I was working as a sysadmin, the number of admins was 1 and all I had was root, I'd be screaming from the rafters. Like my company, I want protection from the actions of others (plausible denability). Don't give me root's password - I don't want to know it. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Hey, didn't we talk about this stuff a few weeks ago on the phone? Anyway, we have a unix/linux product in lieu of sudo (on every place but zLinux at the moment due to vendor support, but that is changing real soon now) that key stroke logs (to a remote server) every thing one does while running as root, because, like Alan said, you can do things like turn off audit and destroy logs, or change the root pw, grant someone else, etc. While logonby is great and we use it all the time with byonly userids and never ever share a password on VM, we still really can't tell those who care about SOX what someone did when they logged into MAINT or VMSECURE or RACFVM if he's your guy. You can't even use last changed date on minidisks, because, well there is DDR! z/VM doesn't really have anything in place to protect you from your sysprog (or at least read about it after the fact), unlike the other o/s's that at least give the illusion that they can. Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Tuesday, April 15, 2008 10:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] recover root password Bob Nix wrote: Anyone sticking to the I have to have root! model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. The are also living in the Dark Ages. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. It is heartwarming, after a fashion, to see this discussion. I forget: When did we introduce LOGON BY to z/VM? The requirement for accountability is not driven by law, but by Good Business Practices, with an eye towards long-term survival. (The fact that we had to have laws to tell people that they must use Good Business Practices speaks volumes about our society and its [lack of] values. :-( ) One of the reasons the mainframes have endured for so long is because, I believe, its purchasers' continued adherence to rigid change control practices. Time is money. So if you screw up a change, you cost us money. This was all before S-O Co. Give someone root authority, but make them say Give me root authority. Here are my credentials. If you'll check your e-clipboard, you'll that I'm On The List. (Of course, not REALLY root authority. E.g. no ability to grant root to someone else or to turn off security subsystems, auditing, etc. Dinosaurs can cause serious injury or death is not the only message to take from the movie Jurassic Park.) If I was working as a sysadmin, the number of admins was 1 and all I had was root, I'd be screaming from the rafters. Like my company, I want protection from the actions of others (plausible denability). Don't give me root's password - I don't want to know it. Alan Altmark z/VM Development IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield [EMAIL PROTECTED] wrote: Until the vendors change their approach, administrators are going to be working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? Sure. How many do you know of who don't hang out on these lists? I consider the default setup maybe the easiest way to get started, but Lots of people reckon Apple does a good job on UI design. By default, root on OS X is locked, and users who have administrative rights use their own password. That's probably why Ubuntu does it that way, white a few of the (early) techos were Apple fans. not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). Over time, there have been arguments on RH lists that RH wasn't doing enough to make systems as secure they should be, and criticising RH practices. I remember complaining about many rpms that could only be built by root - the kernel was the last I recall, and at the time the build process was creating a device entry. RH has learned and generally has done things fairly well long enough that Brad may be surprised to read this:-) We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. I used to install a lot of third-party stuff on MVS; I learned to use salt when reading instructions. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 wrote: By default, sudo expects root's password. That is not what the man page says, It _is_ the way SUSE configures it. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Malcolm Beattie wrote: RPN01 writes: To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with A[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. While composing an earlier reply, I was thinking of suggesting ACLs (and read the man page). I thought of two disadvantages 1. Logging, which you say can be don 2. Password prompt. What do enterprise users think? -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Bjoern A. Zeeb wrote: On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. Whether that works depends on the distro, some try to impede folk by using sulogin (great fun when a manual fsck is necessary). If you can boot without password, sulogin is a lost cause. Boot with this option: ... init=/bin/bash and be prepared to find and mount the filesystems yourself. Then reboot. If the bootloader uses a password, that's usually futile too: 1. Boot from CD or similar. A grub floppy will do on intellish hardware. 2. Remove drive and have at it in another system. The Fedora project is working on installing to encrypted disk, that should be available in f9 (which is now in beta). ps fc3 was about RHEL4 fc6 was about RHEL5 fc9 ?? Will it be? Could it be? You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. I managed to lose the password file once. I was very relieved when I realised 1. I had an active vnc session 2. I don't have good vnc passwords (the ungodly don't get close enough to test them). A vnc session through my modem was better than a car journey. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Folk on RH/Fedora lists have complained long about filesystem labels, and LVM names are fully as good at causing grief. Help is at hand, we're going to oh-so-long UUIDs now. There's a change in LVM names too. Oh joy! -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
McKown, John wrote: -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of John Summerfield Sent: Monday, April 14, 2008 5:34 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password [snip] Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. Then you must have changed it, as I did. This is from the distributed configuration on 10.3: Defaults targetpw # ask for the password of the target user i.e. root I verified it: 05:45 [EMAIL PROTECTED] tmp]$ rpm2cpio /mnt/iso/suse/i586/sudo-1.6.9p2-23.i586.rpm | cpio --extract -d 882 blocks 05:46 [EMAIL PROTECTED] tmp]$ find etc/ etc/ etc/pam.d etc/pam.d/sudo etc/sudoers Until the vendors change their approach, administrators are going to be working that way. That can be fixed by the administrator using visudo to change It can be, but most people will assume the vendor has it right until they learn otherwise. Did _you_ go through every bit of your opensuse configuration to ensure it's sane, according to your own beliefs? /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream why did that CHANGE if the vendor does it. Ubuntu used sudo from the beginning. I don't recall any controversy over it. I imagine that when RH/SUSE does it, they will document it in the release notes and other documentation, and when people challenge it, point them at the documentation. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. I don't know of anyone who's implemented ssh to allow login without _some_ credentials. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
One way to to fix it is to use your rescue system to mount the amnesiac system's / fs at /mnt, chroot to /mnt and run passwd to change root's pw. This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 11:03 AM To: LINUX-390@VM.MARIST.EDU Subject: recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
recover root password
Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Mon, Apr 14, 2008 at 11:03 AM, in message [EMAIL PROTECTED], Miguel Roman [EMAIL PROTECTED] wrote: Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Boot your installation kernel and initrd, and get your network up. Choose the SSH install method. SSH in, activate your root file system disk. Mount your root file system on /mnt chroot /mnt Change the password Exit the chroot environment Unmount your root file system Re-IPL from DASD Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Miguel, For things like this VM is the Bomb! Just make the root drive from the locked server available for a different Lunix guest, (making sure the one with the locked out root account is down) and boot the 2nd guest. Then mount the new disk as /mnt and cd /mnt/etc Then edit the /mnt/etc/shadow file and remove the password from the root account. Then undo all the previous steps and boot. Fixed. (this is kind of a quick and dirty explanation, I can do better if you'd like) David K. Marcy Cortes [EMAIL PROTECTED] ellsfargo.com To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc [EMAIL PROTECTED] IST.EDU Subject Re: recover root password 04/14/2008 11:30 AM Please respond to Linux on 390 Port [EMAIL PROTECTED] IST.EDU Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Thank you all for the help. Miguel -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of David K. Kelly Sent: Monday, April 14, 2008 11:43 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password Miguel, For things like this VM is the Bomb! Just make the root drive from the locked server available for a different Lunix guest, (making sure the one with the locked out root account is down) and boot the 2nd guest. Then mount the new disk as /mnt and cd /mnt/etc Then edit the /mnt/etc/shadow file and remove the password from the root account. Then undo all the previous steps and boot. Fixed. (this is kind of a quick and dirty explanation, I can do better if you'd like) David K. Marcy Cortes [EMAIL PROTECTED] ellsfargo.com To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc [EMAIL PROTECTED] IST.EDU Subject Re: recover root password 04/14/2008 11:30 AM Please respond to Linux on 390 Port [EMAIL PROTECTED] IST.EDU Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability for what is being done to your system; You can't tell who logged in as root (ok, you can tell what IP address they were from, but that person can say Hey! Somebody else used my jack...), but you can tell who is using sudo. Dire circumstances? Like when you need to log into a semi-brain dead system from the console. Or your normal authorization system (like LDAP) has given up the ghost. Unavoidable circumstances? Like when you need to install a product and it checks that you logged in as root; not that you are root now, but that you actually logged in to the root account. If you're the vendor, then shame on you! It shouldn't matter how I got to be root, and you shouldn't care either, just to install your program. In any case, don't log into root, and you avoid this type of problem. At best, someone will lock themselves out, which might actually be a good thing, given some people. And if you change root's password and forget, you have several semi-root people to call upon to easily fix your mistake. Of course, that doesn't mean that you don't need to change root's password from time to time; you still need to maintain the security and integrity of your system -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 4/14/08 10:42 AM, David K. Kelly [EMAIL PROTECTED] wrote: Miguel, For things like this VM is the Bomb! Just make the root drive from the locked server available for a different Lunix guest, (making sure the one with the locked out root account is down) and boot the 2nd guest. Then mount the new disk as /mnt and cd /mnt/etc Then edit the /mnt/etc/shadow file and remove the password from the root account. Then undo all the previous steps and boot. Fixed. (this is kind of a quick and dirty explanation, I can do better if you'd like) David K. Marcy Cortes [EMAIL PROTECTED] ellsfargo.com To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc [EMAIL PROTECTED] IST.EDU Subject Re: recover root password 04/14/2008 11:30 AM Please respond to Linux on 390 Port [EMAIL PROTECTED] IST.EDU Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu
Re: recover root password
The quickest way is bring down the server that you lost you password using bootable media procedure as if you are running on an local box. The difference is that your going to use another linux guest to do the recovery for you. detach the minidisk where / is resided on #cp link suse93 mr from the recovery id mount the partition mount /dev/?? /mnt chroot /mnt passwd exit Miguel Roman [EMAIL PROTECTED] c.com To Sent by: Linux LINUX-390@VM.MARIST.EDU on 390 Portcc [EMAIL PROTECTED] IST.EDU Subject recover root password 04/14/2008 11:03 AM Please respond to Linux on 390 Port [EMAIL PROTECTED] IST.EDU Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 Visit our website at http://www.nyse.com Note: The information contained in this message and any attachment to it is privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to the message, and please delete it from your system. Thank you. NYSE Euronext, Inc. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 wrote: Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Until the vendors change their approach, administrators are going to be working that way. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390