topic Re: Direct Login VS. su only in Operating System - Linux

Direct Login VS. su only

Bob Ferro — Wed, 12 Sep 2007 08:10:45 GMT

I tried the script to not allow direct login and it worked fine except when I tried to su - myuserid, it didn't let me in either. Is there a way to distinguish between a direct login and a su in /etc/profile?

Here's the script from another thread:

Since all normal shell logins go through /etc/profile, there are a number of controls you can put into /etc/profile. As mentioned, you can limit root so it is not allowed a direct login except through the console, and indirectly using su (or better yet, sudo). For the rest of the users, you might create a file of disallowed users such as /etc/disallowed.users with each user login on a separate line such as:

billh
jamesf
kens

Then near the top of /etc/profile (ALWAYS after the line: trap "" 1 2 3) add something like this:

for NOTALLOWED in $(cat /etc/disallowed)
do
if [ $LOGNAME = $NOTALLOWED ]
then
echo "\n --- login not allowed ---\"
exit
fi

And that's it. Now anytime billh, jamesf or kens try to login, they are kicked out immediately.

Thanks

Re: Direct Login VS. su only

James R. Ferguson — Wed, 12 Sep 2007 08:22:48 GMT

Hi Bob:

If you are truly doing 'su - user' and not 'su user' then '/etc/profile' should be sourced.

If you test '$0' (the running process) in 'etc/profile' you will see either '-sh' for a normal login or '-su' if the user issued 'su - user'. That's one way to distinguish a direct login from an 'su'.

Regards!

...JRF...

Re: Direct Login VS. su only

James R. Ferguson — Wed, 12 Sep 2007 10:31:45 GMT

Hi Bob:

Here's an exaple of the code I suggested in my post, above:

if [ ${0} = "-sh" ]; then
if [ ${LOGNAME} = "bob" ]; then
echo "...login is direct; you MUST 'su -' to login"
sleep 5
exit
fi
fi

Regards!

...JRF...

Re: Direct Login VS. su only

Bob Ferro — Wed, 12 Sep 2007 12:32:39 GMT

James,

After the trap "" 1 2 3 command in the /etc/profile, I added the following commands. Your suggestions worked fine, I just combined them.

for NOTALLOWED in $(cat /etc/disallowed.users)
do
if [ $LOGNAME = $NOTALLOWED ] && [ ${0} = "-sh" ]
then
echo "\n Direct logins not allowed for your account."
echo "\n You must su - $NOTALLOWED from another user."
read
exit
fi
done