HPE Community
Operating System - HP-UX
1832955 Members
2766 Online
110048 Solutions
New Discussion

Prevent direct login (su only)

 
SOLVED
Go to solution
Gary L. Paveza, Jr.
Trusted Contributor

‎05-29-2003 09:26 AM

‎05-29-2003 09:26 AM

Prevent direct login (su only)

Does anyone have an scripts that they use to prevent direct login by a user ID? We need to have user IDs (such as oracle), but not allow users to login to these IDs (they are to be forced to su). Currently, I had a hack in the /etc/profile file to do this, but due to auditing, I think I'm better off replacing the shell of the user with a script which does this. Anyone have an example of such a script to keep me from reinventing the wheel? Thanks in advance.
0 Kudos
Reply
7 REPLIES 7
Bill Douglass
Esteemed Contributor

‎05-29-2003 10:17 AM

‎05-29-2003 10:17 AM

Re: Prevent direct login (su only)

One way is to install sudo on your system (get the package from http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/),
and set up your /etc/sudoers file like so:


USER_ALIAS ORACLE = user1, user2

ORACLE ALL = /usr/bin/su - oracle


Then, any of the users you have listed in the ORACLE USER_ALIAS can get a login shell as oracle by typing in:

sudo su - oracle

Set the password field in /etc/passwd to "*" to disable login access to the oracle account.

0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎05-29-2003 10:56 AM

‎05-29-2003 10:56 AM

Re: Prevent direct login (su only)

Hi,

Take a look at this question.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html

Kind regards,

Robert-Jan.
0 Kudos
Reply
Chris Vail
Honored Contributor

‎05-30-2003 08:56 AM

‎05-30-2003 08:56 AM

Re: Prevent direct login (su only)

I've attached a document that answers this very question. It has a lot of hardening steps.
(It also irritates the DBA's!)


Chris
0 Kudos
Reply
Jordan Bean
Honored Contributor

‎05-30-2003 10:10 AM

‎05-30-2003 10:10 AM

Solution

Re: Prevent direct login (su only)


In /etc/profile or /etc/csh.login include a quick hack that terminates the shell if the $(logname) matches a list of restricted users.

/etc/profile:

tty -s && grep -q $(logname) /etc/login.deny && exit 0

As of patch bundle March 2003, the logname command fails for ttys using the pts driver (ssh). The tels driver is okay (telnet). So you may also concider testing the ownership of the tty:

tty -s && grep -q $(id -un) /etc/login.deny && test -O $(tty) && exit 0

Reply
Jordan Bean
Honored Contributor

‎05-30-2003 10:13 AM

‎05-30-2003 10:13 AM

Re: Prevent direct login (su only)


What did your security auditor say about doing this the system login profile?

0 Kudos
Reply
Suhas_2
Regular Advisor

‎05-31-2003 06:15 AM

‎05-31-2003 06:15 AM

Re: Prevent direct login (su only)

Hi,
Alternatively, you may wish to use "PowerBroker" software from Symark.
www.symark.com/powerbroker.htm

This will allow you to delegate these privileges to other users. It will authenticate the end-user. It will help to keep an Audit Trail of the activity carried out.

Hope this helps.

Regards...
Suhas

Have a look at this link.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x0af4585fae8bd711abdc0090277a778c,00.html
Never say "Die"
0 Kudos
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎06-02-2003 10:00 AM

‎06-02-2003 10:00 AM

Re: Prevent direct login (su only)

Auditors would ideally like to see something that would show up in /etc/passwd, not /etc/profile. So I'm going to be writing a script which basically prevents login. That should allow su to function. Just a matter of hardening it up really well.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.