HPE Community
Operating System - HP-UX
1834769 Members
2884 Online
110070 Solutions
New Discussion

Re: Forcing su rather than allowing telnet login for specific accounts

 
SOLVED
Go to solution
Jerry Anderson_5
New Member

‎02-25-2004 10:24 AM

‎02-25-2004 10:24 AM

Forcing su rather than allowing telnet login for specific accounts

I'm trying to figure out how to secure application accounts on a production server. Our policy is that users should login as themselves and then su to the application account - now I need a way to enforce this sequence rather than just suggest it.

Here are the parameters:
1. Users come from multiple networks (10.x 172.x 192.x - its a long story).
2. The application accounts use ftp to transfer data among systems, so I can't simply lock the account to force su rather than login.
3. There are 20 maintainers that need to use these accounts.
4. Their work is not predictable enough to set up an adequate sudoers file without a lot of work and angst.

I was hoping I could write some shell code that would detect that the UID and EUID were the same for a direct login and different for a su, but it appears that id only returns ids within the current context - the uid and euid are the same after an su.

It also seems to me that I might be able to do this by looking for the parent process for a new shell and making sure that it is an su.

But what I'm really hoping is that someone out there already has a robust, tested, solution for this problem.
0 Kudos
Reply
9 REPLIES 9
Steven Sim Kok Leong
Honored Contributor

‎02-25-2004 10:32 AM

‎02-25-2004 10:32 AM

Re: Forcing su rather than allowing telnet login for specific accounts

Hi,

Check out hp-ux commands "whoami" and "who am i". One returns the username before su while the other returns the username su'ed into. That should provide you with the corresponding uid and euid that you need.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Michael Tully
Honored Contributor

‎02-25-2004 10:35 AM

‎02-25-2004 10:35 AM

Re: Forcing su rather than allowing telnet login for specific accounts

Well for the root account set up the /dev/securetty file with the word console in it.
For other specific accounts, simply lock them. You can use either 'passwd -l' or replace the encryption with a '*' in the /etc/passwd file. See the man page for passwd.
$ man 1 passwd
Anyone for a Mutiny ?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-25-2004 10:40 AM

‎02-25-2004 10:40 AM

Re: Forcing su rather than allowing telnet login for specific accounts

Hi,

You can leverage the "who am i" output to find out the base user and then restrict them for direct login. For ex., the following sample code will look for the user in /etc/nodirectlogin and exits if so for direct logins.

ME=$(who am i|awk '{print $1}')
grep -q "^${ME}:" /etc/nodirectlogin
if [ $? = 0 ]
then
echo "$ME cannot login directly. Login with your own id and then SU to $ME"
exit
fi

You will need to add the generic logins in your /etc/nodirectlogin file as follows

oracle:Oracle account
sybase:Sybase Generic account

etc., etc.,

However, these accounts will allow the users to do a 'su' to them.

You will also need to customize your csh.login for accounts with csh shell.

This is not a 100% guaranteed method but is close.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎02-25-2004 10:41 AM

‎02-25-2004 10:41 AM

Re: Forcing su rather than allowing telnet login for specific accounts

In the /etc/passwd file, change the shell for the username/application to /bin/false.

Thus users can ftp and su to that account, but if someone attempts to login it won't have a valid shell to start up.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
Michael Tully
Honored Contributor

‎02-25-2004 11:04 AM

‎02-25-2004 11:04 AM

Re: Forcing su rather than allowing telnet login for specific accounts

I know one thing, I should learn how to read ... 8^)
Anyone for a Mutiny ?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-25-2004 11:08 AM

‎02-25-2004 11:08 AM

Re: Forcing su rather than allowing telnet login for specific accounts

I forgot about CDE logins. Users with Reflection X or Exceed can directly login to the systems with CDE. /etc/profile|csh.login won't help you in that case. You will need to place a X startup script with the same logic. For ex., Create a script called

0000.directlogin under /etc/dt/config/Xsession.d with 555 permissions.

Add the following shell into it

grep -q "^${USER}:" /etc/nodirectlogin
if [ $? = 0 ]
then
/usr/dt/bin/dterror.ds "CDE login denied for $USER" "Login Denied" "Exit"
exit 1
fi

This should disable all the users under /etc/nodirectlogin to logon via CDE.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jerry Anderson_5
New Member

‎02-26-2004 12:33 PM

‎02-26-2004 12:33 PM

Re: Forcing su rather than allowing telnet login for specific accounts

Thanks for the suggestions. I'm going to try them out this weekend and get back with points next week.

Please feel free to add to the list if you have any alternative ideas.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎02-26-2004 08:18 PM

‎02-26-2004 08:18 PM

Re: Forcing su rather than allowing telnet login for specific accounts

If you don't need specific settings from the user (so you don't run su - , only su , you could replace the contents of .profile to a single line: exit. This means the user will immediately be logged out when trying to login.

If not, you could compare the first fields of 'who am i' and 'whoami'. If they are the same, the user needs to be logged out, so if you put that in the users .profile it should also work. The whoami info is updated after a su, while 'who am i' isn't. The line would become:

if [ "`whoami`" = "`who am i | cut -d' ' -f1`" ]
then
exit
fi
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Dave La Mar
Honored Contributor

‎02-27-2004 11:44 AM

‎02-27-2004 11:44 AM

Solution

Re: Forcing su rather than allowing telnet login for specific accounts

Jerry -
I just went through something similar. The developers need ftp access, but I have locked down replace and chmod in the ftpaccess file.

Then there was a user I wanted to be able to ftp but not telnet.

I simply test for username in /etc/profile at login, force them to exit and notify where it came from. The notify script gives me an ip address or pcname for which I can tract back to the user's work station.

/etc/profile entry:

# Exit if the user is jobdev

if test "$user" = "jobdev"
then
/usr/local/bin/systems/security/violator
exit 0
fi

Notify script snippet:
# ============================================================
# Use the wtmp file to find the offender.
# ============================================================

last -R | head -1 | grep corp

if [ $? -eq 0 ]
then
last -R | head -1 | mailx -s "MOE Login Violator" $MAIL_LIST
else
last -R | head -1 | awk '{ print $3 }' | cut -d ":" -f1 | read addr
nslookup $addr | grep Name | cut -d ":" -f2 | read network_id
echo "$addr on $network_id" | mailx -s "MOE Login Violator" \
$MAIL_LIST
fi

Hope this assists a bit.
Best of luck.

Regards,
dl
"I'm not dumb. I just have a command of thoroughly useless information."
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.