| |
 |
|
Owl River Company
|
|
|
|
Your IP is: 38.107.191.100
|
Up More Tips
http://www.owlriver.com/tips/maintenance/
Setting up a Unix host for maintenance
Problem: The regular admin is on vacation; I was called on site
for an emergency; the root password is not known to me or anyone at
the customer's site. I need to work on the host, without permanently
disrupting things.
What should I do?
Response: Set up a temporary maintenance account, with full 'sudo'
rights.
Extended response: Determine if the host can be brought up in
single user mode, so you can obtain a root shell prompt without
knowing the root password. An extended discussion of all the
various ways to 'reboot in single user mode' is beyond the scope
of this piece.
If you are not aware of the process for doing so, you need to stop and
examine if you should really be doing this maintenance -- it is very easy to
compound a simple problem into a real disaster with 'root' account rights.
If you decide you should proceed, and know the procedure for attaining
'single user' mode, do so.
Once in single user mode, add a plain unprivileged user account for yourself.
Conventional pasword safety discipline applies -- use a site specific, and
perhaps even host specific password; set email forwarding off the host to
your central monitoring account; leave notes of what you did in a safe and
accessible place.
Determine if the 'sudo' package is installed. The 'sudo' package
is a safe, and accountable way to distribute and monitor system 'root'
account use; it is not absolutely impossible to circumvent 'sudo' -- (a
knowledgable person with physical access to a host can compromise almost
anything), but it deters the casual intruder.
'Sudo' is freely available for all modern *nices; its reference site is at:
http://www.courtesan.com/sudo/
-- A careful sysadmin might add a copy of it in their toolkit,
on transportable media before it is
needed, for the platforms which they will encounter. ... hint, hint
Most commonly, the configuration file /etc/sudoers or
/usr/local/etc/sudoers is present at one those locations.
The package comes with visudo -- a configuration file
editor, which verifies correct syntax of changes, is probably best.
Failing that, use an available editor -- vi is almost
everywhere in each *nix-- , and add a line thus to the end of
that file (we use the sample user account 'userid' -- obviously,
substitute YOUR user ID in its place):
userid ALL=(ALL) ALL
If an editor is not available, this also works:
echo "userid ALL=(ALL) ALL" >> /etc/sudoers
With this in place, it is usually possible to reboot into a multi-user,
networked runlevel, and perform needed maintenance, using the 'sudo' command
to obtain 'root' access when needed. A full discussion of properly using
'sudo' is left to the materials which that package provides, and is beyond
the scope of this piece.
As a quick hint, and not as a common practice, once in a regular
shell, one can become 'root' thus:
sudo su -
Note: The password which it is prompting you for is your common userid
password.
Please, please, please -- if there is not a current
image backup of the system, or if there is any question that the host has
been compromised, the FIRST task you should perform is to take a
snapshot image backup to external media.
We thank reviewer Jim Wildman, for his feedback on this tip.
We make this available for non-commercial and individual use.
Please respect our copyright, and consider contacting us for
all your Open Source and *nix design, architect / systems analysis, and
administration needs.
See also:
Unix Rosetta Stone - local PDF
The Well-Tempered Unix Application -
local (2002 variant)
rev 021126 RPH
http://www.owlriver.com/tips/maintenance/
Up More Tips
Back to Top Page
Last modified: Wed, 27 Nov 2002 20:54:49 -0500
http://www.owlriver.com/tips/maintenance/index.php