How to have ROOT access in the Unified Communications Manager system 6 & 7

0 Votes

How to have ROOT access in the Unified Communications Manager system 6 & 7

How to have ROOT access in the Unified Communications Manager system 6 & 7
Uni-install and hybrid version (2 partitions) (testing)

-This processes are to be used at your home lab only, unless you really
know what you are doing, and this instructions should be use for
educational and testing purposes only!!. Cisco Unified Communications Manager
File Structure is an extremly secure file structure system, although you should always protect and monitor
the physical access to the location of your Nodes/Unfied Communications
Manager server's.
-This test was performed in a MCS 7816 H3 server in a Lab and not in a operational cluster, although
I used 3 Cisco IP phones, to simulate normal operation with total success, 1 Cisco IP Phone 7940, 1 Cisco IP Phone 7960, 1
Cisco Wifi Phone 7920.
-This process should take between 10 to 15 minutes.
-Please read this document in it's entirety, before performing any test.
-Lastly you should never do this in a working Node, instead if you are experiencing
problems such as booting, database errors, etc, you should try to use another options such as, use your System
Recovery CD or better yet contact TAC and speak with a knowledgeable Cisco Engineer.

There is 2 ways to do this.

-One is to modify the permission of the grub configuration using a Knoppix CD, then
becoming a "semi" root and then injecting the newly created user to the shadow
and passwd files. Now this option is also a great option specially
when you have 2 versions Of Unified Communications Manager running
on the BOX, for example UC 6.X in the inactive partition and UC 7 in
the active partition, the complete process will be in the other lesson :), this process
is a little bit complicated but it works like a champ when you have
2 versions running in the server, also you will need to know the
partition structure to boot up succesfully, although after trying
couple of times I found out that you will need to boot from the
/dev/sda2 single to gain complete access, if you boot from another
sda's, root will not perform as "super root" this one took me a
while to find out.

-Before proceeding I am assuming that you have already a working
Unified Communications Manager 6 or 7 running in an approved MCS server.
-Download an iso of CentOS 5.2 CD DIsk 1
-Transfer the image to a CD
-Insert the CD into the Drive
-Turn on the Server
-Let the server boot from the CD
-On the CentOS startup screen, type linux rescue and press enter
boot: linux rescue
-Select the appropiate language
-Select the Country
-Select if you want to start the network service or not, if so
-Highlight eth0
-Configure eth0
-Continue the pre-boot process
-The server will continue the booting process until you are in the shell
-Once in the shell type
#chroot /mnt/sysimage
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#useradd [enter a desire username] <---such as cesar
#passwd [enter the newly desired username] <----this will create a password for the new user twice
#usermod -g root [your new username] <---this will add this user to the root group, although
you are not a real superuser, but you can move around freely connecting to the unified communications
manager console.
#service network start <---this will really start the network services
#service sshd start <-----this will start the ssh server
#ifup eth0 <------this will turn up the eth0 for sure!

Great, we are almost done, now while you are here you can do the following

-Mount a USB Drive for example, so you can copy files between the server and your USB drive.
-To do this.
-Insert the USB drive
-while on the shell type
#cd /etc/dev
-Look for the newly mounted USB drive, it should be something like (sdb1), if so proceed to mount the
usb drive by doing the following:
#mount sdb1 /mnt/usb
-Your USB drive should now be mounted and ready for use.
You can also mount the USB drive permanently as well, but thats on a later lesson...

-Remenber that this newly created account it will not let you do much, but you can browse around while
using the new user and remotely via ssh. Now if you want to modify a file remotely and this file is
secured..You may need to log in as root first, change the permission of the file, so you can later
modify the file using the new user account you just created. How to change a file permissions?
#chmod 777 [filename]

-It will be a good idea to put the file back to the original permissions settings after you have
modify it, this just to keep the integrity of the file structure.

:::::::::::::::::::::::;Please read carefully before doing anything else:::::::::
Anything you do from here it may cause the Unified Communications Manager not to start!!

-Now while on the root shell you can change the permissions on any file you want to modify, remenber
you cant do this on the user you just have created...this is because you will still need to move out
the root account out of the equation by doing the following
#usermod -u 20000 root
#usermod -u 0 [your new username]
****NOTE:At this point you are now the super user of the box, but when you do this Unified communications
Manager may not start properly...So BECAREFUL!!

-Also while in root we can go ahead and modify iptables for example to install webmin and manage the box
via web port 10000, although you may need to install couple of other scripts, but not hard. Also if you
are not a "vi" fanatic, go ahead and install nano via usb or by using the wget command, again you may
also need some other scripts to run nano, and of course access to the internet.

*Also FYI

The platform user belongs to the following groups.

The root user belongs to the following groups.

-Remenber how you allocate your user and groups, it will mandate it's access.


After reviewing several corners, I thought, wait why add another user, play
with the groups allocations and all that, when can just access the Unified Communications
Manager like a member of Cisco TAC would?, I mean what I am trying to accomplish
here is to access the box and at the same time maintain the integrity of the box
as much as possible, without modifying too many things on the UCM server platform

So, I will call this the Remote Account Process.

On a working server or environment we will do the following:
-Connect to the UCM Console using an SSH Client
-Proceed to a enable a remote account
admin:utils remote_account enable
-Proceed to create a remote_account user
admin:utils remote_account create [ournew_remote_account_username] [amount of day's that
we want this account to remain active]
admin:utils remote_account create ciscotac 30
-the above example will create a remote account user named ciscotac and it will be valid
for 30 days.
-Once we have succesfully created a remote_account we will proceed to reboot the server
admin:utils system restart
-Proceed to insert the CentOS 5.2 Disk 1
-on the Boot option enter linux rescue
boot:linux rescue
-Once you are in the linux shell
-Proceed to do the following
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#passwd [enter the username that you have created for the remote account user]
-Enter the new password that you want for the new remote account user twice
-eject the CentOS 5.2 DISK 1
-Reboot the server by doing the following
#shutdown -r now
-Once Unified Communications Manager have completed rebooted, simply using an SSH
client login to UCM using the remote account username and password, you will see
the following message

Welcome to Remote Support


Document Revised by Cesar Fiestas
0 Votes
Collapse -

<A HREF="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=274394&messageID=2600275">How to have ROOT access in the Unified Communications Manager system 6 & 7 </A>
<A HREF="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=273881&messageID=2595612">Upgrading Cisco Unified Communications Manager 6.x to 7.x (testing) </A>
<A HREF="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=273784&messageID=2594381">Upgrade Instructions of Unified Communications Manager 6.0(1) to 6.1(2) </A>
<A HREF="http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=273781&messageID=2594284">Configuring Mobile Voice Access in Unified Communications Manager 6.1 </A>

0 Votes
Collapse -

Once you are at the point where you mentioned mounting the USB drive, you can modify another file in /etc/ called sudoers. Find the lines that says
# User privilege specification
root ALL=(ALL) ALL

and add a new line below it - actually the location of this line does not matter, but seeing the above line makes you compare and enter the right command

If your user is cesar, add the line


It is a 'tab' before NOPASSWD, not a bunch of spaces.

Also, in the /etc/passwd file the last column for root will say /sbin/nologin, change that to /bin/bash and save the file.

Then login using ssh as cesar, and run the command 'sudo su -'. You are root without using root's password or changing file permissions.

The changes above will not impact anything. Root's password or environment is not changed, you just allow root to be able to login to the console and allow 'cesar' to be able to elevate privileges as root without using a password.

0 Votes
Collapse -


If you do this...for some reason the informix database becomes unstable and the callmanager service stops (i didnt bother to look further as to why)...so the whole idea here is to "get in and get out, unnoticed and without damaging the integrity of the box" or any of its processes for that matter

Cesar Fiestas

0 Votes
Collapse -

I haven't had any issues with CCM 6.0 or 7.0 after this change. I have been running one in a test lab for months now. I even go to the extend of reducing the disk space by cloning to a smaller drive, so I can save space on my laptop (CCM running in a VM). I have managed to reduce the disk space up to 33GB and still run it without problems. It takes longer to start, but when started it will run fine. I always save the system state by putting the VM in standby mode (takes about 2GB of space to save the VM's memory) but never shut it down.

0 Votes
Collapse -


That is a pretty neat clone, what I want to do is create a way to have the cdr/car records either move automatically to an external box to free up space, or to have the cdr/car records reside in another box (In order to meet large/legal record requirements) same for the logs, last week playing around I managed to install webmin, it was pretty not much gain there but I just want it to know the behavior of the box after a new app addition, also in my wish list is to have a way to completly monitor the access/activities of users to the ccmadmin, for security purposes.

Cesar Fiestas