topic Re: UNIX high authorization profiles are restricted to physically secured devices. in Operating System - HP-UX

UNIX high authorization profiles are restricted to physically secured devices.

Pat Limaco — Tue, 18 Mar 2003 07:37:29 GMT

HOw can you restrict important profiles such as "root" to have direct logon only from the console?

My program states I should examine the "etc/default/login" for the "CONSOLE=/dev/console" entry. However the system said no such file exists. Does this mean etc/default/login first needs to be manually created?

I'd appreciate your responses. thanks and best regards.

Re: UNIX high authorization profiles are restricted to physically secured devices.

Balaji N — Tue, 18 Mar 2003 07:41:57 GMT

hi
creste the securetty file in /etc directory and the terminal entries from which root can login directly.

echo "console" > /etc/securetty.

now root can login directly only from the console. note that a user can login and then switch to root still.

hth
-balaji

Re: UNIX high authorization profiles are restricted to physically secured devices.

Pat Limaco — Tue, 18 Mar 2003 07:53:29 GMT

Thanks alot, that helped me understand things better. just a follow up, does this mean i have to put the "root console" entry into the etc/securetty file. =)

Re: UNIX high authorization profiles are restricted to physically secured devices.

Balaji N — Tue, 18 Mar 2003 07:58:09 GMT

no. just the terminal names from where root is allowed to login. this file is used only for user root.
++++snipped from the login man page++++++++
If the /etc/securetty file is present, login security is in effect.
Only user root is allowed to log in successfully on the ttys listed in
this file. Restricted ttys are listed by device name, one per line.
Valid tty names are dependent on the installation. An example is

console
tty01
ttya1
etc.

Note that this feature does not inhibit a normal user from using the
su command (see su(1)).
+++++++++++++++++

man login for more info.

hth
-balaji

Re: UNIX high authorization profiles are restricted to physically secured devices.

doug hosking — Wed, 19 Mar 2003 09:41:41 GMT

Balaji, /etc/default/security entries on newer (11.11 and later, I think) versions of HP-UX can help with the su case. Quoting from security(4):

SU_ROOT_GROUP
This parameter defines the root group name for the su command. Refer to su(1).

SU_ROOT_GROUP=group_name
The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a
member of the specified root group to be allowed to su to root. This does not alter password checking.

Default value: If this parameter is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to su to root without being bound by root group restrictions.

Re: UNIX high authorization profiles are restricted to physically secured devices.

Balaji N — Wed, 19 Mar 2003 10:17:45 GMT

thanks for the update Doug.
-balaji