HPE Community
Operating System - HP-UX
1834755 Members
3532 Online
110070 Solutions
New Discussion

Disabling X logins

 
SOLVED
Go to solution
Fedon Kadifeli
Super Advisor

‎06-05-2001 10:42 PM

‎06-05-2001 10:42 PM

Disabling X logins

For security reasons, I want to disable dt logins to some production servers. Is it enough to comment out the /sbin/rc3.d/S990dtlogin.rc script? Or is it better to comment out the line DESKTOP=CDE in the /etc/rc.config.d/desktop file? What other precautions should I take to disable X logins?
0 Kudos
Reply
1 REPLY 1
eran maor
Honored Contributor

‎06-05-2001 10:52 PM

‎06-05-2001 10:52 PM

Solution

Re: Disabling X logins

Hi

you got it rigth .
here is some option to choose from but you gwrote 2 of them and the will work fine :

Logins to CDE can be prevented by in one of several ways

Disable dtlogin.
If you have no use for CDE on your system, it can easily be disabled. Edit /etc/rc.config.d/desktop. CDE will only start at run-level 3 if DESKTOP=CDE is contained within this file.


Prevent dtlogin from managing remote displays.
The Xaccess file (copy from /usr/dt/config to /etc/dt/config to customize) normally will allow incoming XDMCP requests from all remote X displays. Xaccess can be used to restrict access to a limited set of X displays. Changes to Xaccess require a "SIGHUP" to the parent dtlogin process. This can be done via "/usr/dt/bin/dtconfig -reset".

If there are specific X terminals or PC's, etc, that would require access to CDE this feature can be use to explicity allow/deny access to the CDE display management service.

EXAMPLE (See Xaccess for other examples):


adminpc1
adminpc2

!userpc1
!userpc2
!xterma
!*.dialup.my.com

Place a test in the Xstartup script to identify authorized users.
The Xstartup script is run as root and can be used to identify users by name that are authorized to login to CDE. If Xstartup exits with a non-zero status, CDE will NOT start. Due to X server display restrictions, it is not possible to display a warning message from within Xstartup. The user will not know why the login is failing, just that it is. To customize Xstartup, copy it first from /usr/dt/config to /etc/dt/config. Do not edit the files in /usr/dt/config.

EXAMPLE:


case "$USER" in

root|admin|dj)
: # do nothing
;;

*)
exit 1
;;
esac

Place a test in an Xsession.d script to identify authorized users.
Scripts found in /etc/dt/config/Xsession.d will be "sourced" by CDE's Xsession (/usr/dt/bin/Xsession) during login. If any of these scripts should exit, the session startup will be aborted. Since Xsession is run as the user and not root, it is possible to display a warning message dialog to indicate that access to CDE is denied.

EXAMPLE "/etc/dt/config/Xsession.d/0001.nologin":


case "$USER" in

root|admin|dj)
: # do nothing
;;

*)
/usr/dt/bin/dterror.ds 'Login to CDE denied for user: $USER\n' 'nologin' 'OK'
exit 1
;;
esac


love computers
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.