topic Re: Securing root access from xterm in Operating System - HP-UX

Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 19:57:38 GMT

I have been charged with securing access to my HP/UX 11.0 environment. One of the requests is to restrict root access to the su command and the console. I have used SAM to restrict tty connections, and I've reviewed the process for restricting CDE connections, but I can not figure out a way to restrict my Hummingbird users who execute xterm without using the login scripts. Has anyone else faced this problem before?
tks
ken

Re: Securing root access from xterm

Deshpande Prashant — Tue, 17 Sep 2002 20:02:37 GMT

HI
We block root users by checking it in .profile of root user.
####
if [ ${user} = "root" ]
then
if [ ${TTY} != "console" ]
then
echo " : root login allowed only through console..."
echo "ERR ${date} - ${TTY} ${user}-root" >> ${sulog}
exit
fi

##

Thanks.
Prashant.

Re: Securing root access from xterm

Craig Rants — Tue, 17 Sep 2002 20:06:53 GMT

Or

echo console > /etc/securetty

GL,
C

Re: Securing root access from xterm

Jeff Schussele — Tue, 17 Sep 2002 20:13:34 GMT

Hi Ken,

This is what I have on this:

Both dtlogin and vuelogin do not refer to the /etc/securetty file
after checking the login information against the /etc/passwd file.
There are several ways to prevent this:

1) To keep root from using the workstation graphics console or xterminal
when vuelogin or dtlogin are running, add the following lines to the
end of either /usr/vue/config/Xstartup (in HP-UX 10.X this would be
/etc/vue/config/Xstartup) or /etc/dt/config/Xstartup (copy over from
/usr/dt/config if the file does not exist in /etc/dt/config) for CDE:

if [ $USER = root ] ; then
exit 1
fi

This will terminate the login process if the user is logging in as
root.

or for all users :

if [ "$USER" != "root" ]; then
exit 1
fi

OR follow the steps in the HP TKB Doc (KBRC00000074):

http://support1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-682735245+1028645265478+28353475&docId=200000045437203

HTH,
Jeff

Re: Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 20:14:35 GMT

${user} is not set on my system. The only thing that I have which is close to this is $LOGNAME and it gets changed to "root" when I execute the "su -" command.

Re: Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 20:14:59 GMT

echo console > /etc/securetty
will only disable telnet sessions. xterm sessions can still get through.

Re: Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 20:17:19 GMT

> echo $USER
sh: USER: Parameter not set.

$USER is not being set in my environment.

Re: Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 20:22:03 GMT

$TERM does get set, so I know if someone is connecting from the console, however, I want to allow su to be executed from an xterm session and the profile to be executed.

Re: Securing root access from xterm

Ted Ellis_2 — Tue, 17 Sep 2002 20:23:06 GMT

try echo $LOGNAME

Ted

Re: Securing root access from xterm

ken_5 — Tue, 17 Sep 2002 20:27:02 GMT

$LOGNAME gets changed to "root" when you "su -".

Re: Securing root access from xterm

Jeff Schussele — Tue, 17 Sep 2002 20:27:45 GMT

Hi (again) Ken,

Yes, just change $USER to $LOGNAME & you should be good to go.

Jeff

Re: Securing root access from xterm

Jeff Schussele — Tue, 17 Sep 2002 20:31:42 GMT

Not sure what you mean by "$LOGNAME gets changed to root when you su."

I thought your question was how to prevent direct CDE or X logins by root.

If you want to restrict su to root - then don't give anyone the root PW......

Rgds,
Jeff

Re: Securing root access from xterm

Ted Ellis_2 — Tue, 17 Sep 2002 20:34:52 GMT

can you actually login right now with Hummingbird straight to a root session? I can't.. maybe my syntax is outta whack, but I also notice a file on my servers called 8000.migration that is under /etc/dt/config/Xsessions.d and appears to prevent direct root logins via a root user... do you have that file? And can you access xterm with root user (no su)?

Re: Securing root access from xterm

ken_5 — Wed, 18 Sep 2002 11:30:20 GMT

Ted and Jeff
Here is the Command that I use in Xstart to connect to the server.

/usr/bin/X11/xterm -d @D -fn heb8x13 -geometry 100x50-1+1 -fg black -bg lightgray -ls -sb -sl 1000 -title "SERVER NAME"

notice the -ls this tells xterm to execute the "login script" if I leave this option off, or by default, the .profile will not be executed at all and I gain full root access.

Jeff,
On the su issue. The problem was that I did not know weather I could identify where the user is connecting. I can do this with the $TERM and check for the unique term type of my CONSOLE display. So I believe that I can modify .profile to restrict access to the system, but it's really a mute point if the any user has access to the system via xterm. Let me explain further. We have more than one administrator, and I want to force them to connect via the console if connecting as root directly. I guess that it's just not supported. I will probably just setup some type of logging flag in the .profile that will write each root access su or not and it's source Display and terminal type, but of course that can be bypassed by xterm without the -ls.

Re: Securing root access from xterm

Deshpande Prashant — Wed, 18 Sep 2002 15:17:47 GMT

HI
In my script above, I used
user=`logname`

Thanks.
Prashant.

Re: Securing root access from xterm

ken_5 — Wed, 18 Sep 2002 16:32:10 GMT

Deshpande Prashant
Cool, I needed that command, but it still does not solve the problem of the default operation of xterm being to NOT execute the .profile. Now, xterm is called using rexec, is there something I can do with rexec to make sure it does not allow root access? One thought that I did have was replacing xterm itself with a script that would call a renamed and protected version of the binary, but that seems some how risky to me. :)
tks,
ken

Re: Securing root access from xterm

Wodisch — Wed, 18 Sep 2002 17:21:05 GMT

Hi Ken,

if you use X-Windows, then your system is NOT secure at all!
Maybe you can tunnel X-Widnows through OpenSSH (works with Reflection/X, should work with Exceed, too).
"xterm" itself is a security-risk, as it can be remote-controlled and be spied-out! USe "hpterm" or "dtterm" at least, these cannot be remote-controlled that easily...
If you use "ssh" then you can configure that to NOT let "root" log in through it!

You will have to stop "XDMCP" access, too...

And I do recommend installing "IPFilter/9000" and block everything you do not need/want on that system (BOTH directions, in and out).

Just my $0.02,
Wodisch

Re: Securing root access from xterm

ken_5 — Wed, 18 Sep 2002 17:24:48 GMT

Wodisch
That is the 2 cents that I'm looking for, I suspected as much, xterm itself is a security risk and should not be used, you went beyond that and gave me alternatives. Thanks for you help, I'm still very new at this stuff.

:)
ken.