HPE Community
Operating System - HP-UX
1830080 Members
15268 Online
109998 Solutions
New Discussion

inetd.sec - Telnet localhost only works for root

 
SOLVED
Go to solution
Vinesh Dhevcharran_1
Advisor

‎07-14-2003 01:51 AM

‎07-14-2003 01:51 AM

inetd.sec - Telnet localhost only works for root

Hi,

I have commenced tightening up on security by implementing inetd.sec. This is working fine for all users for all "allowable" ip addresses except for telnet to localhost for non root users!

entry in /var/adm/inetd.sec
telnet allow 123.12.34.02-20 127.0.0.1 localhost
permission on inetd.sec is 444 root:sys

e.g. for user abcd
telnet localhost
localhost: Unknown host
test=abcd>>ping localhost
PING localhost: 64 byte packets
64 bytes from 127.0.0.1: icmp_seq=0. time=0. ms

e.g. for user root
telnet localhost
Trying...
Connected to localhost.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON

HP-UX test B.11.00 A 9000/800 (ta)

login:

Many thanks for any help

0 Kudos
Reply
10 REPLIES 10
Massimo Bianchi
Honored Contributor

‎07-14-2003 01:53 AM

‎07-14-2003 01:53 AM

Re: inetd.sec - Telnet localhost only works for root

Hi,
for root there is another security mechanisms


Create a file called /etc/securetty.
this file lists the allowed terminal root can connect from.

Usually there is only just one entry:
console

This should help you .

HTH,
Massimo
0 Kudos
Reply
Vinesh Dhevcharran_1
Advisor

‎07-14-2003 04:32 AM

‎07-14-2003 04:32 AM

Re: inetd.sec - Telnet localhost only works for root

Hi,

Thanks for the response, but user root is NOT the problem.
1. I already have a file securetty with the word console in it.
2. If I try and telnet as user root, I get a login screen. From here I login as a non-root user.
3. If I try and telnet as a non-root user (uid ne 0) I get the message "unknown host"

My problem is with non-root users
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎07-14-2003 04:36 AM

‎07-14-2003 04:36 AM

Re: inetd.sec - Telnet localhost only works for root

Hi,
what are the permission of file /etc/hosts ?

HTH,
Massimo
0 Kudos
Reply
David_246
Trusted Contributor

‎07-14-2003 04:42 AM

‎07-14-2003 04:42 AM

Solution

Re: inetd.sec - Telnet localhost only works for root

Hi,

Please show us the contents of /etc/nsswitch.conf

Depending on what is in there show us the output of :
- grep localhost /etc/hosts
- nslookup localhost
- ls -l /etc/nsswitch.conf
- ls -l /etc/resolv.conf

If you can provide us all the requested output, the solution must be near.

Regs David

P.S. : Please assign points to your previous (16) answers. They at least spent time to help you, right ?
@yourservice
Reply
Vinesh Dhevcharran_1
Advisor

‎07-14-2003 04:51 AM

‎07-14-2003 04:51 AM

Re: inetd.sec - Telnet localhost only works for root

Hi

As a non-root user, if I try telnet localhost I get:
test=abcd>>telnet localhost
localhost: Unknown host

As a non-root user, if I try telnet 127.0.0.1 I get:
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON
HP-UX test B.11.00 A 9000/800 (ta)
login:

To summarize:
Telnet to localhost or 127.0.0.1 works as user root (Obviously I login as non-root user because of the securetty file)
Telnet to 127.0.0.1 works for non-root user
telnet to localhost does not work for non-root user

Any help is appreciated.

Vinesh


0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎07-14-2003 04:56 AM

‎07-14-2003 04:56 AM

Re: inetd.sec - Telnet localhost only works for root

Hi Vinesh,
can you please check the permission of file /etc/hosts ?

If, as user non-root, you cannot resolve localhost, looks like a name resolution problem, more than a inetd.sec problem.

Massimo
0 Kudos
Reply
Vinesh Dhevcharran_1
Advisor

‎07-14-2003 05:31 AM

‎07-14-2003 05:31 AM

Re: inetd.sec - Telnet localhost only works for root


ls -al hosts
-rw-r--r-- 1 root sys 847 Jul 14 15:03 hosts
ls -al /etc/nsswitch.conf
-rw------- 1 root sys 122 Jun 14 2002 /etc/nsswitch.conf

as user root
test:/etc# nslookup localhost
Name Server: xxxxx.uuu.co.za
Address: 123.456.789.1

Trying DNS
looking up FILES
Name: localhost
Address: 127.0.0.1
Aliases: loopback

as user abcd
test=abcd>>nslookup localhost
Name Server: xxxxx.uuu.co.za
Address: 123.456.789.1

Trying DNS
Trying NIS
looking up FILES
Name: localhost
Address: 127.0.0.1
Aliases: loopback


more /etc/nsswitch.conf
hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] files[NOTFOUND
=return UNAVAIL=continue TRYAGAIN=return]

grep localhost /etc/hosts
127.0.0.1 localhost loopback

Thanks
PS. David, This is the second userid that I am using. I cannot access all other requests from my first userid. Apologies never-the-less.
0 Kudos
Reply
Vinesh Dhevcharran_1
Advisor

‎07-14-2003 06:23 AM

‎07-14-2003 06:23 AM

Re: inetd.sec - Telnet localhost only works for root

Hi,

The problem was the permissions on nsswitch.conf. It was 600. I changed this to 644 and the telnet now works.

Is the 644 permission fine as far as security goes?
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎07-14-2003 06:27 AM

‎07-14-2003 06:27 AM

Re: inetd.sec - Telnet localhost only works for root

Hi,
644 is optimal for security.

If you want very thighten security, you can go also down to 444, just to avoid accidental overwriting.

HTH,
Massimo
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎07-14-2003 06:28 AM

‎07-14-2003 06:28 AM

Re: inetd.sec - Telnet localhost only works for root

Hi:

Yes, the permissions of 644 are correct and necessary. This simply means that the file's owner (here, 'root') can read-and-write the file but the group (here, 'sys') can only read; and all other users are also limited to read-only access.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.