topic Re: Directly login deny in Operating System - HP-UX

Directly login deny

Manuel_8 — Tue, 13 Aug 2002 13:22:01 GMT

Hello guys,
I want thet the root user can't log directly on the system, but only whit su - root command.

Please help me

Thanks

Re: Directly login deny

Sridhar Bhaskarla — Tue, 13 Aug 2002 13:26:06 GMT

Hi,

Create /etc/securetty file with "console" in
it. It will allow root to login from console only. Others have to login as themselves and then su to root.

#cat /etc/securetty
console

-Sri

Re: Directly login deny

Jeff Schussele — Tue, 13 Aug 2002 13:26:07 GMT

Hi Manuel,

Create the following file
/etc/securetty
containing only the word
console

This prevents root from logging in from anywhere except the console.

HTH,
Jeff

Re: Directly login deny

Dietmar Konermann — Tue, 13 Aug 2002 13:27:38 GMT

Hi!

Just create a file /etc/securetty containing the line "console". See login(1) man page.

Please note that not all services respect this feature! E.g. ftp needs to be denied for root also. Same for rexec. Otherwise one could e.g. use ftp as root to remove the /etc/securetty file.

Regards...
Dietmar

Re: Directly login deny

James R. Ferguson — Tue, 13 Aug 2002 13:27:50 GMT

Hi Manuel:

Create a file titled '/etc/securetty'. When present, root is allowed to log in only on the devices listed in the file. Enties are the device tty name, one per line.

In your case, specify "console" so that root can login at the console device, but no where else unless an 'su' operation is performed to root.

Regards!

...JRF...

Re: Directly login deny

S.K. Chan — Tue, 13 Aug 2002 13:29:07 GMT

YOu can do this by creating the file /etc/securetty with the word
console
in it. The file should have permission 600 (root:bin). That will disable direct root login from any tty port EXCEPT at the console.

Re: Directly login deny

Sajid_1 — Tue, 13 Aug 2002 13:31:45 GMT

This can't be done totally. But you can restrict the root direct login to specific ttys (for eg: console). For doing this, edit the /etc/securetty file and add the 'tty' entries there and the root login can only be done from there. But you can do a 'su' from all terminal sessions.

Re: Directly login deny

Chris Wilshaw — Tue, 13 Aug 2002 13:31:48 GMT

If you wish to prevent root from logging in on the console too, rather than having console in /etc/securetty, you can just create a blank file. Then root is only usable via su.

> /etc/securetty

ll /etc/securetty
-r--r--r-- 1 root sys 0 Aug 13 15:31 /etc/securetty

Re: Directly login deny

MANOJ SRIVASTAVA — Tue, 13 Aug 2002 13:56:26 GMT

Manuel

What we do is to add the following lines in the /etc/profile

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = root ]
then
exit
fi

this will make you just su to root

Manoj Srivastava