topic Re: Direct root access in Operating System - HP-UX

Direct root access

Prashant_15 — Tue, 28 Oct 2003 16:10:47 GMT

How to restrict direct root access on HP-UX?

Please reply

Thanks and regards
Prashant

Re: Direct root access

Ken Penland_1 — Tue, 28 Oct 2003 16:14:13 GMT

vi /etc/securetty and put the word console in it by itself, this will prevent root from logging in from anywhere but the console...you can still su to root however.

Re: Direct root access

Jeff Schussele — Tue, 28 Oct 2003 16:14:58 GMT

Hi Prashant,

Do the following:

echo console > /etc/securetty
chown root:sys /etc/securetty
chmod 400 /etc/securetty

Now the only place that root can login from directly is the console.
If the file already exists, insure it only contains the string console

HTH,
Jeff

Re: Direct root access

Pramod_4 — Tue, 28 Oct 2003 16:16:40 GMT

1) Enable /etc/securetty to restrict root to console.
2) Use sudo to avoid direct use of root account.

Pramod

Re: Direct root access

Patrick Wallek — Tue, 28 Oct 2003 16:22:34 GMT

See responses in your other question as well:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=241288

Re: Direct root access

Prashant_15 — Tue, 28 Oct 2003 16:32:13 GMT

Cheers,

Many thanks..

Re: Direct root access

MANOJ SRIVASTAVA — Tue, 28 Oct 2003 16:35:07 GMT

Prashant

You can also do the following

edit /etc/profile and add the following lines

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [$loginid = root ]
then
exit
fi

this will exit the direct root login , however a user can login as a user and then su to root .

Manoj Srivastava

Re: Direct root access

Bill Hassell — Tue, 28 Oct 2003 20:31:19 GMT

Easy: change the root password and never give it out to anyone. A bit more useful: download sudo and specify the commands and parameters allowed for certain users. They will never be allowed to login as root but can perform certain restricted tasks on behalf of root.

Re: Direct root access

Wilfredo R. Castro — Wed, 29 Oct 2003 01:04:51 GMT

How to download the SUDO and what it does exactly?

Re: Direct root access

Bill Hassell — Wed, 29 Oct 2003 08:27:28 GMT

The best source for HP-UX programs is found at http://hpux.connect.org.uk/ which is the Liverpool archive (there are several mirrors around the world). Essentially, you define user access in a file called sudoers which can be extensively configured for simple or complex commands and parameters. You can configure it so that the user simply types sudo in front of each command that requires root access. sudo logs everything so you can see the commands that were run. Knowledge of the root password is not needed.