topic Re: Disallow any login to the system in Operating System - HP-UX

Disallow any login to the system

Nisar Ahmad — Thu, 06 Sep 2001 05:30:19 GMT

I am suppose to instrall patches on our production system. What could be the best approach so that none can login to the system as I can't be in sigle use mode?

Thanks

Nisar

Re: Disallow any login to the system

federico_3 — Thu, 06 Sep 2001 05:46:47 GMT

If you are in single usewr mode nobody can connect to the system because the network processes are down.

Federico

Re: Disallow any login to the system

Herve BRANGIER — Thu, 06 Sep 2001 05:47:13 GMT

Hi

ftp, login, rlogin,... and a lot of deamons are
launched by inetd. So I think you can stop
inetd : /sbin/init.d/inetd stop.
Or you can modify /var/adm/inetd.sec.

If you want to disallow others services you can
stop them...

HTH

Herv?

Re: Disallow any login to the system

Sridhar Bhaskarla — Thu, 06 Sep 2001 06:08:16 GMT

You can do one thing.

cp /var/adm/inetd.sec /var/adm/inetd.sec.old
Edit your /var/adm/inetd.sec and
add these lines

telnet deny #For telnet
telnet allow your_system_IP SW-DEPOT-IP
login deny #For rlogin

ftp deny

Restart inetd by inetd -c

Now people cannot ftp or login to your box

Once you are done. Restore the previous inetd.sec and restart ined.

The other way is little bit dangerous.

Save /etc/passwd as /etc/passwd.old. Edit /etc/passwd and delete all the entries other than the default ones. Edit a file called /etc/banner that says "This system is under maitenance .. Your account is temporarly disabled" and modify the inetd.conf file to
replace telnetd with telned -b /etc/banner. Restart the inetd.

Once you are done with the installation, keep the password file back. One drawback is that it will unnecessarily register bad attempts in the system.

There are a lot many ways.

-Sri

Re: Disallow any login to the system

Marcin Wicinski — Thu, 06 Sep 2001 06:53:38 GMT

Hi,

I suppose that you cannot install patches in single user mode because of special installation instruction suggestions. Very simple way to reject any logins is to check username in /.profile and f it is not root ten exit.

Later,

Re: Disallow any login to the system

Dayanand Naik — Thu, 06 Sep 2001 11:40:30 GMT

Hi Nisar,

It depends on what kinda patch are u going to install. but its not required for you to go into single user mode, you can stop the inetd services which contains rlogin,login,ftp and other network services.

issue this commnand to stop/start inetd services :

/sbin/init.d/inetd stop

after you finsh patching your system issue

/sbin/init.d/inetd start command

Hope this helps.

Regards
Dayanand Naik

Re: Disallow any login to the system

Alex_17 — Thu, 06 Sep 2001 11:44:43 GMT

Another way:

1) Copy your /etc/passwd to /etc/passwd.old
2) Write * in password field for every user
3) Install patches
4) Remove /etc/passwd
5) Rename old /etc/passwd

It's not very original but it may work.

ALex.

Re: Disallow any login to the system

linuxfan — Thu, 06 Sep 2001 11:53:13 GMT

Hi Nisar,

Here is a very simple way

touch /etc/nologin

Modify your /etc/profile with

if [ -f /etc/nologin && ${LOGNAME} != "root" ]
then
echo "System is not available right now"
exit 1
fi

This way you don't need to modify anything else on your system, after installing the patches, just remove the /etc/nologin file

-HTH
Ramesh

Re: Disallow any login to the system

Ravi_8 — Thu, 06 Sep 2001 11:56:55 GMT

Hi,
the system patches such as kernel,network when they applied system needs to reboot, application patches such as PHCO* can be applied in multiuser user mode and no need to reboot the machine. your case of disallowing users to login and applying patches in single user mode is unnecessary.