topic direct root acces in Operating System - HP-UX

direct root acces

Prashant_15 — Tue, 28 Oct 2003 16:05:50 GMT

Hi,

I want to know how to restrict direct root access to HP system. I am having superdome with 11i installed. Please reply immediate..
Thanks
Regards
Prashant

Re: direct root acces

Patrick Wallek — Tue, 28 Oct 2003 16:09:04 GMT

If you want to disallow root logins from anywhere EXCEPT the console you need to create a file called /etc/securetty and place the word 'console' (without the quote marks) in that file. I would also make sure the permissions on the file are 444 (-r--r--r--).

# cat /etc/securetty
console
#

Re: direct root acces

Brian Bergstrand — Tue, 28 Oct 2003 16:09:55 GMT

echo console > /etc/securetty

Doing the following will restrict direct root login to the console only. su will still work from any terminal though.

HTH.

Re: direct root acces

Prashant_15 — Tue, 28 Oct 2003 16:31:24 GMT

Cheers,

Many thanks

Re: direct root acces

Brian Markus — Wed, 29 Oct 2003 00:20:29 GMT

I've used this trick in the past to restrict who can login. I place this code in the /etc/profile

if [ -r /etc/nologin ]
then
case $LOGNAME in
root ) ;;
bmarkus ) ;;
oracle ) ;;

esac
fi

In this case only root, bmarkus, and oracle can login. If you take root out of that list, it should do it.

Or you could do something like this

if [ `whoami` == "root" ]
then
cat /etc/nologin
exit 1
fi

Hope this helps.

-Brian.

Re: direct root acces

Robert Fritz — Wed, 29 Oct 2003 11:17:54 GMT

Note that securetty only restricts login methods that use a tty like telnet.

For example, SSH would not use securetty, it has its own variable in /etc/opt/ssh/sshd.config.

-Robert