topic Re: Forcing su rather than allowing telnet login for specific accounts in Operating System - HP-UX

Forcing su rather than allowing telnet login for specific accounts

Jerry Anderson_5 — Wed, 25 Feb 2004 18:24:23 GMT

I'm trying to figure out how to secure application accounts on a production server. Our policy is that users should login as themselves and then su to the application account - now I need a way to enforce this sequence rather than just suggest it.

Here are the parameters:
1. Users come from multiple networks (10.x 172.x 192.x - its a long story).
2. The application accounts use ftp to transfer data among systems, so I can't simply lock the account to force su rather than login.
3. There are 20 maintainers that need to use these accounts.
4. Their work is not predictable enough to set up an adequate sudoers file without a lot of work and angst.

I was hoping I could write some shell code that would detect that the UID and EUID were the same for a direct login and different for a su, but it appears that id only returns ids within the current context - the uid and euid are the same after an su.

It also seems to me that I might be able to do this by looking for the parent process for a new shell and making sure that it is an su.

But what I'm really hoping is that someone out there already has a robust, tested, solution for this problem.

Re: Forcing su rather than allowing telnet login for specific accounts

Steven Sim Kok Leong — Wed, 25 Feb 2004 18:32:09 GMT

Hi,

Check out hp-ux commands "whoami" and "who am i". One returns the username before su while the other returns the username su'ed into. That should provide you with the corresponding uid and euid that you need.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Forcing su rather than allowing telnet login for specific accounts

Michael Tully — Wed, 25 Feb 2004 18:35:15 GMT

Well for the root account set up the /dev/securetty file with the word console in it.
For other specific accounts, simply lock them. You can use either 'passwd -l' or replace the encryption with a '*' in the /etc/passwd file. See the man page for passwd.
$ man 1 passwd

Re: Forcing su rather than allowing telnet login for specific accounts

Sridhar Bhaskarla — Wed, 25 Feb 2004 18:40:20 GMT

Hi,

You can leverage the "who am i" output to find out the base user and then restrict them for direct login. For ex., the following sample code will look for the user in /etc/nodirectlogin and exits if so for direct logins.

ME=$(who am i|awk '{print $1}')
grep -q "^${ME}:" /etc/nodirectlogin
if [ $? = 0 ]
then
echo "$ME cannot login directly. Login with your own id and then SU to $ME"
exit
fi

You will need to add the generic logins in your /etc/nodirectlogin file as follows

oracle:Oracle account
sybase:Sybase Generic account

etc., etc.,

However, these accounts will allow the users to do a 'su' to them.

You will also need to customize your csh.login for accounts with csh shell.

This is not a 100% guaranteed method but is close.

-Sri

Re: Forcing su rather than allowing telnet login for specific accounts

Rodney Hills — Wed, 25 Feb 2004 18:41:27 GMT

In the /etc/passwd file, change the shell for the username/application to /bin/false.

Thus users can ftp and su to that account, but if someone attempts to login it won't have a valid shell to start up.

HTH

-- Rod Hills

Re: Forcing su rather than allowing telnet login for specific accounts

Michael Tully — Wed, 25 Feb 2004 19:04:48 GMT

I know one thing, I should learn how to read ... 8^)

Re: Forcing su rather than allowing telnet login for specific accounts

Sridhar Bhaskarla — Wed, 25 Feb 2004 19:08:38 GMT

I forgot about CDE logins. Users with Reflection X or Exceed can directly login to the systems with CDE. /etc/profile|csh.login won't help you in that case. You will need to place a X startup script with the same logic. For ex., Create a script called

0000.directlogin under /etc/dt/config/Xsession.d with 555 permissions.

Add the following shell into it

grep -q "^${USER}:" /etc/nodirectlogin
if [ $? = 0 ]
then
/usr/dt/bin/dterror.ds "CDE login denied for $USER" "Login Denied" "Exit"
exit 1
fi

This should disable all the users under /etc/nodirectlogin to logon via CDE.

-Sri

Re: Forcing su rather than allowing telnet login for specific accounts

Jerry Anderson_5 — Thu, 26 Feb 2004 20:33:02 GMT

Thanks for the suggestions. I'm going to try them out this weekend and get back with points next week.

Please feel free to add to the list if you have any alternative ideas.

Re: Forcing su rather than allowing telnet login for specific accounts

Elmar P. Kolkman — Fri, 27 Feb 2004 04:18:51 GMT

If you don't need specific settings from the user (so you don't run su - , only su , you could replace the contents of .profile to a single line: exit. This means the user will immediately be logged out when trying to login.

If not, you could compare the first fields of 'who am i' and 'whoami'. If they are the same, the user needs to be logged out, so if you put that in the users .profile it should also work. The whoami info is updated after a su, while 'who am i' isn't. The line would become:

if [ "`whoami`" = "`who am i | cut -d' ' -f1`" ]
then
exit
fi

Re: Forcing su rather than allowing telnet login for specific accounts

Dave La Mar — Fri, 27 Feb 2004 19:44:52 GMT

Jerry -
I just went through something similar. The developers need ftp access, but I have locked down replace and chmod in the ftpaccess file.

Then there was a user I wanted to be able to ftp but not telnet.

I simply test for username in /etc/profile at login, force them to exit and notify where it came from. The notify script gives me an ip address or pcname for which I can tract back to the user's work station.

/etc/profile entry:

# Exit if the user is jobdev

if test "$user" = "jobdev"
then
/usr/local/bin/systems/security/violator
exit 0
fi

Notify script snippet:
# ============================================================
# Use the wtmp file to find the offender.
# ============================================================

last -R | head -1 | grep corp

if [ $? -eq 0 ]
then
last -R | head -1 | mailx -s "MOE Login Violator" $MAIL_LIST
else
last -R | head -1 | awk '{ print $3 }' | cut -d ":" -f1 | read addr
nslookup $addr | grep Name | cut -d ":" -f2 | read network_id
echo "$addr on $network_id" | mailx -s "MOE Login Violator" \
$MAIL_LIST
fi

Hope this assists a bit.
Best of luck.

Regards,
dl