HPE Community
Operating System - HP-UX
1834431 Members
1921 Online
110067 Solutions
New Discussion

disabling direct access to cde as root

 
SOLVED
Go to solution
Luca_71
New Member

‎11-17-2005 01:29 AM

‎11-17-2005 01:29 AM

disabling direct access to cde as root

Hi everybody
I want to disable direct access as root to our systems, so that users have to login as themselves and then switch user to root, if they need to.
I put "console" in /etc/securetty and this prevents direct access as root via telnet, but users can still login as root if they access to CDE using an Xclient.
Does anyone know how to disable direct root access to CDE?
Best Regards
Luca
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎11-17-2005 01:53 AM

‎11-17-2005 01:53 AM

Re: disabling direct access to cde as root

Shalom Luca,

http://www.unixguide.net/hp/faq/5.15.2.3.shtml

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D717877%26qt%3D%252Bdisable%2B%252Bcde%2B%252Blogin%26hit%3D3&aid=SEARCH_FORUMS&pil=3&serStr=disable+cde+login&pir=3

Good luck,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎11-17-2005 01:54 AM

‎11-17-2005 01:54 AM

Re: disabling direct access to cde as root

Have a look at http://docs.hp.com/en/B1171-90162/ch01s06.html

Scroll down to the heading "Issuing Commands Before Starting the User Session". That section will help you out.

What you can do is setup the Xstartup to check if the user is root, if so then exit.

Something like this added to the Xstartup should do...

if [ `logname` = root ]
then
exit 0
fi


the doc online explains where and what the Xstartup is.

Hope this helps,
-denver
Reply
Luca_71
New Member

‎11-17-2005 02:24 AM

‎11-17-2005 02:24 AM

Re: disabling direct access to cde as root

Thank you guys, but your suggestions were not helpfull.
Steven, I don't want to disable cde, because users need it to start graphical applications, I only want to prevent them to log in directly as root.
Denver, I tried what you suggested, but it didn't work. I tried replacing `logname` with $USER, but it had no effect, I can still login as root...
Any idea?
0 Kudos
Reply
Tom Ward_1
Honored Contributor

‎11-17-2005 03:06 AM

‎11-17-2005 03:06 AM

Solution

Re: disabling direct access to cde as root

Denver's got it.

cp /usr/dt/config/Xstartup /etc/dt/config/Xstartup

edit your copy in /etc/dt/config/Xstartup and add:

if [ $USER = root ]; then
exit 1
fi

I don't know if you need to cycle CDE, but it won't hurt. BTW, this is from Chris Wong's book on HPUX 11i security.

HTH,
Tom
Reply
Luca_71
New Member

‎11-17-2005 03:27 AM

‎11-17-2005 03:27 AM

Re: disabling direct access to cde as root

Now it works. I simply replaced "exit 0" with "exit 1", like Tom seemed to suggest.
I have no idea though why "exit 0" doesn't really exit and "exit 1" does.
Anyway you've been a great help, thank you again.
Regards
Luca
0 Kudos
Reply
Luca_71
New Member

‎11-17-2005 07:40 PM

‎11-17-2005 07:40 PM

Re: disabling direct access to cde as root

Just out of curiosity, do you know why the difference between exit 0 and exit 1?
As far as I know, the exit code shouldn't affect the behavior of the exit command itself, however, in the very same script(/etc/dt/config/Xstartup) 'exit 1' terminates my xsession, while 'exit 0' still allows me to login as root.
I tried both options on a couple of different machines, and the behavior is the same.
Do you have any idea?
Regards
Luca
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎11-17-2005 11:19 PM

‎11-17-2005 11:19 PM

Re: disabling direct access to cde as root

doh! I can't beleive I did that... :)

anyhow, exit 0 means the program completed successfully while anything not = 0 means it didn't complete successfully. The dt startup probably got the return code 0 and saw all was well so it kept going. changing it to 1 fixed my bad.

-denver
Reply
Luca_71
New Member

‎11-18-2005 12:51 AM

‎11-18-2005 12:51 AM

Re: disabling direct access to cde as root

well... it makes sense :-)
thank you again
Luca
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.