HPE Community
Operating System - HP-UX
1833723 Members
2590 Online
110063 Solutions
New Discussion

Regarding preventing root from any system.

 
Nikhil Chaudhari
Advisor

‎06-01-2000 09:43 PM

‎06-01-2000 09:43 PM

Regarding preventing root from any system.

HI

I have a solaris machine in which we can prevent root login.Root login has to be done through console with the help of /etc/default/login and line CONSOLE=/dev/console.

I need to know is there any files in Hp9000 machines through which we can prevent root login from any other machine.(except console)

Regards

Nikhil
nikhil
0 Kudos
Reply
7 REPLIES 7
Bill Hassell
Honored Contributor

‎06-01-2000 09:52 PM

‎06-01-2000 09:52 PM

Re: Regarding preventing root from any system.

Yes. The man page for login describes the file: /etc/securetty. Put the name of the device(s) that are allowed root login but the /dev/ part is added automatically, so just put the word console in the file as in:

echo console > /etc/securetty

and now no one can login as root using telnet or a modem or terminal. Only the console will allow a root login. Users that know the root password can use su to become root regardless of what connection they use.

If the securetty file is empty, then no one can every login as root. (really secure, eh?) Actually this is useful. Everyone must now login as a normal user then use su - root to become root. wtmp (see last) and btmp (see lastb) will record the user logins and the terminals/IP addresses they used, while sulog will log all attempts to use su.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-01-2000 09:57 PM

‎06-01-2000 09:57 PM

Re: Regarding preventing root from any system.

Hi,

One workaround would be to add the following lines to your /etc/profile after the trap:
==
if tty|grep console >/dev/null && echo $LOGNAME|grep root >/dev/null
then
:
else
exit
fi
==
Regards.

Steven Sim.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-01-2000 10:04 PM

‎06-01-2000 10:04 PM

Re: Regarding preventing root from any system.

Hi,

Realised my mistake. Should be:
==
if echo $LOGNAME|grep root >/dev/null
then
if tty|grep console >/dev/null
then
:
else
exit
fi
fi
==
Regards.

Steven Sim.
0 Kudos
Reply
Fedon Kadifeli
Super Advisor

‎06-02-2000 12:19 AM

‎06-02-2000 12:19 AM

Re: Regarding preventing root from any system.

I think the securetty thing doesn't work for X connections. For example, you can still connect to this machine from Reflection by using the root user...
0 Kudos
Reply
Alex Glennie
Honored Contributor

‎06-02-2000 12:53 AM

‎06-02-2000 12:53 AM

Re: Regarding preventing root from any system.

The Case of Xwindows :

Both dtlogin and vuelogin do not refer to the /etc/securetty file
after checking the login information against the /etc/passwd file.

To keep root from using the workstation graphics console or xterminal
when vuelogin or dtlogin are running, add the following lines to the
end of either /usr/vue/config/Xstartup (in HP-UX 10.X this would be
/etc/vue/config/Xstartup) or /etc/dt/config/Xstartup (copy over from
/usr/dt/config if the file does not exist in /etc/dt/config) for CDE:

if [ $USER = root ] ; then
exit 1
fi

This will terminate the login process if the user is logging in as
root.

or for all users :

if [ "$USER" != "root" ]; then
exit 1
fi
0 Kudos
Reply
Eric J. Gonzalez
Occasional Advisor

‎06-02-2000 07:18 AM

‎06-02-2000 07:18 AM

Re: Regarding preventing root from any system.

Create the /etc/securetty file as indicated in a previous answer, but you also have
to chmod 600 /etc/securetty in order to prevent users from tapping into the file.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎06-02-2000 09:54 AM

‎06-02-2000 09:54 AM

Re: Regarding preventing root from any system.

Use the /etc/securetty file as described. However, if using a package such as Exceed of Reflection and logging into a system using the rexecd process, this will not work.
Either turn off rexec service or develop a script in which the system is checked for a root login via the 'who am i' command. If it finds, e-mail to an administrator and get out the tar and feathers.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.