HPE Community
Operating System - HP-UX
1836438 Members
3603 Online
110100 Solutions
New Discussion

Re: changing /dev/console permissions

 
Kevin Bushman
Occasional Advisor

‎11-08-2004 08:26 AM

‎11-08-2004 08:26 AM

changing /dev/console permissions

All,
Due to security requirements, I would like to change the permissions on /dev/console so it is not world writable when someone is logged in on the console (especially root). I've searched here and found a couple of ideas that didn't work.

I've checked two different systems where on one this works and on the other it doesn't and there are no differences on the file permissions when either logged in on the console or not logged in (when logged in they're the same on both, when not logged in they're the same on both).

I've also looked at the idea of changing the group ownership of /dev/console to sys, but on the system where this works, this isn't how it was done either.

Any suggestions? I've been all through the processes and can't find any way of implementing this. I could program it somehow, but would rather not if someone has a better solution.

TIA...

Gonzo
0 Kudos
Reply
2 REPLIES 2
Steven E. Protter
Exalted Contributor

‎11-08-2004 08:36 AM

‎11-08-2004 08:36 AM

Re: changing /dev/console permissions

This kind of /etc/profile code may work:

if [ "$chkname" = "root" ]
then
echo "..........."
else
# echo "making the terminal file secure from hackers."
mesg n >/dev/null
fi

if [ "$LOGNAME" = "root" ]
then
echo "Native root login. Securing the terminal file."
mesg n >/dev/null
fi

# just change the device.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-08-2004 08:43 AM

‎11-08-2004 08:43 AM

Re: changing /dev/console permissions

The permissions are set to 622 as part of the normal console login. Normally write permission is not considered to be a security risk because even if the root user (logged in at the console) saw "Please enter root password for verification" and were dumb enough to respond unless a process had read access to that port no damage would be done. You should also be aware that some daemons which might not be run as root) might write error messages to the console. One option would be to modify root's .profile and if connected to /dev/console determined by "who am i" then set the port permissions but this is really not a risk.

If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.