HPE Community
Operating System - Linux
1753277 Members
5441 Online
108792 Solutions
New Discussion юеВ

Direct Login VS. su only

 
SOLVED
Go to solution
Bob Ferro
Regular Advisor

тАО09-12-2007 01:10 AM

тАО09-12-2007 01:10 AM

Direct Login VS. su only

I tried the script to not allow direct login and it worked fine except when I tried to su - myuserid, it didn't let me in either. Is there a way to distinguish between a direct login and a su in /etc/profile?

Here's the script from another thread:

Since all normal shell logins go through /etc/profile, there are a number of controls you can put into /etc/profile. As mentioned, you can limit root so it is not allowed a direct login except through the console, and indirectly using su (or better yet, sudo). For the rest of the users, you might create a file of disallowed users such as /etc/disallowed.users with each user login on a separate line such as:

billh
jamesf
kens

Then near the top of /etc/profile (ALWAYS after the line: trap "" 1 2 3) add something like this:

for NOTALLOWED in $(cat /etc/disallowed)
do
if [ $LOGNAME = $NOTALLOWED ]
then
echo "\n --- login not allowed ---\"
exit
fi

And that's it. Now anytime billh, jamesf or kens try to login, they are kicked out immediately.

Thanks
0 Kudos
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

тАО09-12-2007 01:22 AM

тАО09-12-2007 01:22 AM

Solution

Re: Direct Login VS. su only

Hi Bob:

If you are truly doing 'su - user' and not 'su user' then '/etc/profile' should be sourced.

If you test '$0' (the running process) in 'etc/profile' you will see either '-sh' for a normal login or '-su' if the user issued 'su - user'. That's one way to distinguish a direct login from an 'su'.

Regards!

...JRF...
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО09-12-2007 03:31 AM

тАО09-12-2007 03:31 AM

Re: Direct Login VS. su only

Hi Bob:

Here's an exaple of the code I suggested in my post, above:

if [ ${0} = "-sh" ]; then
if [ ${LOGNAME} = "bob" ]; then
echo "...login is direct; you MUST 'su -' to login"
sleep 5
exit
fi
fi

Regards!

...JRF...
0 Kudos
Bob Ferro
Regular Advisor

тАО09-12-2007 05:32 AM

тАО09-12-2007 05:32 AM

Re: Direct Login VS. su only

James,

After the trap "" 1 2 3 command in the /etc/profile, I added the following commands. Your suggestions worked fine, I just combined them.


for NOTALLOWED in $(cat /etc/disallowed.users)
do
if [ $LOGNAME = $NOTALLOWED ] && [ ${0} = "-sh" ]
then
echo "\n Direct logins not allowed for your account."
echo "\n You must su - $NOTALLOWED from another user."
read
exit
fi
done
0 Kudos
Bob Ferro
Regular Advisor

тАО09-12-2007 05:33 AM

тАО09-12-2007 05:33 AM

Re: Direct Login VS. su only

James,

After the trap "" 1 2 3 command in the /etc/profile, I added the following commands. Your suggestions worked fine, I just combined them.


for NOTALLOWED in $(cat /etc/disallowed.users)
do
if [ $LOGNAME = $NOTALLOWED ] && [ ${0} = "-sh" ]
then
echo "\n Direct logins not allowed for your account."
echo "\n You must su - $NOTALLOWED from another user."
read
exit
fi
done
0 Kudos
Bob Ferro
Regular Advisor

тАО09-12-2007 05:34 AM

тАО09-12-2007 05:34 AM

Re: Direct Login VS. su only

Thanks again.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.