ORC Owl Logo 2  

Owl River Company

 
  Your IP is: 54.159.186.7

Up More Tips

   http://www.owlriver.com/tips/maintenance/

Setting up a Unix host for maintenance


Problem: The regular admin is on vacation; I was called on site for an emergency; the root password is not known to me or anyone at the customer's site. I need to work on the host, without permanently disrupting things.

What should I do?

Response: Set up a temporary maintenance account, with full 'sudo' rights.

Extended response: Determine if the host can be brought up in single user mode, so you can obtain a root shell prompt without knowing the root password. An extended discussion of all the various ways to 'reboot in single user mode' is beyond the scope of this piece.

If you are not aware of the process for doing so, you need to stop and examine if you should really be doing this maintenance -- it is very easy to compound a simple problem into a real disaster with 'root' account rights. If you decide you should proceed, and know the procedure for attaining 'single user' mode, do so.

Once in single user mode, add a plain unprivileged user account for yourself. Conventional pasword safety discipline applies -- use a site specific, and perhaps even host specific password; set email forwarding off the host to your central monitoring account; leave notes of what you did in a safe and accessible place.

Determine if the 'sudo' package is installed. The 'sudo' package is a safe, and accountable way to distribute and monitor system 'root' account use; it is not absolutely impossible to circumvent 'sudo' -- (a knowledgable person with physical access to a host can compromise almost anything), but it deters the casual intruder.

'Sudo' is freely available for all modern *nices; its reference site is at: http://www.courtesan.com/sudo/ -- A careful sysadmin might add a copy of it in their toolkit, on transportable media before it is needed, for the platforms which they will encounter. ... hint, hint

Most commonly, the configuration file /etc/sudoers or /usr/local/etc/sudoers is present at one those locations. The package comes with visudo -- a configuration file editor, which verifies correct syntax of changes, is probably best.

Failing that, use an available editor -- vi is almost everywhere in each *nix-- , and add a line thus to the end of that file (we use the sample user account 'userid' -- obviously, substitute YOUR user ID in its place):
userid ALL=(ALL) ALL
If an editor is not available, this also works: echo "userid ALL=(ALL) ALL" >> /etc/sudoers
With this in place, it is usually possible to reboot into a multi-user, networked runlevel, and perform needed maintenance, using the 'sudo' command to obtain 'root' access when needed. A full discussion of properly using 'sudo' is left to the materials which that package provides, and is beyond the scope of this piece.

As a quick hint, and not as a common practice, once in a regular shell, one can become 'root' thus: sudo su -
Note: The password which it is prompting you for is your common userid password.

Please, please, please -- if there is not a current image backup of the system, or if there is any question that the host has been compromised, the FIRST task you should perform is to take a snapshot image backup to external media.

We thank reviewer Jim Wildman, for his feedback on this tip.


We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.


See also: Unix Rosetta Stone - local PDF
          The Well-Tempered Unix Application - local (2002 variant)

rev 021126 RPH
http://www.owlriver.com/tips/maintenance/

Up More Tips
       

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Wed, 27 Nov 2002 20:54:49 -0500
http://www.owlriver.com/tips/maintenance/index.php