Operator Accounts without root Access


About this document
    Related documentation
menush script
Setup procedure
Security concerns

About this document

The following menush script allows specialized access to root functions. System administrators can establish accounts to allow other users to perform functions, such as backups, killing hung processes, or managing print jobs. While these functions require root authority, it is often undesirable to allow access to all root functions. This document applies to AIX Versions 3.2.5, 4.1, 4.2 and 4.3.

Related documentation

The product documentation library is also available:

menush script

The menush script provides a menu of options and is invoked as an operator account in place of a shell. The first line in the script is not a comment and is required for the shell to work.

NOTE: In order for this script to work, all comments (lines beginning with a #) must start at column zero. Due to the formatting of this document, the actual script is indented a number of spaces. Also, if a line begins with a | (pipe character) you should remove that character. Any page headers and footers should also be removed from the body of the script.

     # This script is a menuing program that can be used to
     # give operators access to superuser level commands,
     # such as backup, shutdown, kill, etc. without giving
     # them a root shell.  This works by making this script the initial
     # program of the users so that when they log in,
     # they have UID 0 but do not get a shell prompt.  It
     # requires a user defined startup file in the HOME
     # directory of the "operator" account called .menushrc,
     # which is defined as follows:
     #    Menuname
     #    1=Option Name=/path/command=prompt=page
     #    99
     # where Menuname is a one word name for the menu, followed
     # by up to 15 option lines consisting of an option number,
     # text for the option, command to run, prompt text or the
     # word none, and the word yes or no to indicate if the
     # output of the command should be piped through
     # the pg command.  The 99 at the end of the options is
     # required to signal the end of the option lines.
     # First we set up a trap that disables break (^-C) that the
     # wiley operator might try to get a root shell.
     trap "" 2
     # Now define a function to process the user selected option.
         ITEXT=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f2)
         PROMPT=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f4)
         CMD=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f3)
         PG=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f5)
         if [ "$CMD" != "" ]
             if [ "$PROMPT" != "none" ]
                 echo " "
                 echo "\t\t\t$PROMPT\c"
                 read input
                 echo $(date)" "$ITEXT" "$input >>$HOME/menush.log
                 if [ "$PG" != "yes" ]
                     eval $CMD $input
                     eval $CMD $input | pg -n
                 echo $(date)" "$ITEXT >>$HOME/menush.log
                 if [ "$PG" != "yes" ]
                     eval $CMD
                     eval $CMD | pg -n
         echo $(date)" "$resp" Invalid option" >>$HOME/menush.log
             echo "\t\t\tInvalid option"
             sleep 2
     # Now we parse the $HOME/.menushrc file to get the valid
     # menu options.  If this file does not exist, exit
     # immediately.  If we find the file, use it to display
     # the menu and continue to do so until the user
     # selects option 0 to exit.
       if [ -r $HOME/.menushrc ]
         while [ "$resp" != "0" ]
             exec < $HOME/.menushrc
             read menuname
             echo "\t\t\t\t$menuname Menu"
             echo " "
             read inum iname icmd iprompt ipg
             while [ $inum != "99" ]
                 echo "\t\t$inum\t$iname"
                 read inum iname icmd iprompt ipg
             echo "\t\t0\tExit"
             echo " "
             exec <&1
             echo -n "\t\t\tSelection: \c"
             read resp
         case $resp in
            "0") exit;;
            *)   echo $(date)" "$resp" Invalid option" >>$HOME/menush.log
                 echo "\t\t\tInvalid option"
                 sleep 2;;
         echo "\t\tNo .menushrc found.  Exiting."
         sleep 2

Setup procedure

  1. Type in the preceding script and save it as /usr/sbin/menush.

  2. Run the following command to set permissions on the file.
       chmod 0750 /usr/sbin/menush 
  3. To create an operator user account and change the UID and GID to 0 in /etc/passwd, follow these sub-steps:

    1. Use SMIT to create an operator account. Use the defaults with the exception of the LOGIN user? prompt. Type false in this field.

    2. Once SMIT has created the user account, edit /etc/passwd. Find the operator line:
      201 and 10 are numbers assigned by the SMIT command. Change these numbers to 0 and edit the end of the line as follows:

      NOTE: The preceding fields marked in boldface are the ones that must be changed in /etc/passwd. Do not put the boldface marks in /etc/passwd.

    3. Change the directory to the home directory of the new account. Create the menu definition file that will be used by the menush script. The .menushrc format is as follows:
         1=Option text=command=prompt=page 

      menuname is the one-word name for this menu, such as "Operator", followed by up to 15 option definition lines, followed in turn by the number 99, which signals the end of the menu definition. A sample .menushrc file might look like this:

         1=Kill a process=/bin/kill -9=PID to kill: =no 
         2=Kill a print job=qcan -x=Job number? =no 
         3=Show status of print jobs=lpstat=none=yes 
         4=Change Operator Password=/usr/bin/passwd operator=none=no 
      All lines must start in the first column. In the preceding example, the menu name is Operator. Options that don't require further input from the operator have their prompts set to none. The commands portion of the option definition line should specify the complete path name to the command or script to be executed since no PATH is set for this account. This file should be owned by root and have read and write permission for the owner only.

      NOTE: You cannot use any program in your operator menu that requires an interactive shell. This means that programs that expect input from the user, such as SMITTY, cannot be used.

    4. Assign an initial password to the operator account.

      Now the operator can only access this account by using the su command. This is done so that a record exists of when a user logs in as operator (this is recorded in the /var/adm/sulog). In addition, the script will write a log file in the operator $HOME directory called menush.log that records the date, the time, and the menu option selected.

  4. This script applies to AIX Versions 3.2 and 4.x with the following exceptions:

    In versions 4.x the echo command does not support the -n flag. This command only needs to be changed in one of the two places that it appears in the preceding script.

    The syntax for version 3.2 is:

    echo -n "\t\t\tSelection: "
    The syntax for versions 4.x must be:
    echo "\t\t\tSelection: \c"

Security concerns

This script can create security problems depending on the options that are available to the operator. An example can be seen in the preceding sample .menushrc file. In the option User Management, the SMIT fastpath to the Security & Users menu is invoked. Using this option, the operator could select the SMIT option to change the characteristics of a user and change his own initial program to a regular shell, thus allowing access to all functions reserved for root.

Therefore, the system administrator should take care when selecting what options to give to the operator account, and should test for possible security holes.

[ Doc Ref: 90605218114810     Publish Date: Dec. 15, 2000     4FAX Ref: none ]