HPE Community
Operating System - HP-UX
1846423 Members
2742 Online
110256 Solutions
New Discussion

Securing root access from xterm

 
SOLVED
Go to solution
ken_5
Advisor

‎09-17-2002 12:57 PM

‎09-17-2002 12:57 PM

Securing root access from xterm

I have been charged with securing access to my HP/UX 11.0 environment. One of the requests is to restrict root access to the su command and the console. I have used SAM to restrict tty connections, and I've reviewed the process for restricting CDE connections, but I can not figure out a way to restrict my Hummingbird users who execute xterm without using the login scripts. Has anyone else faced this problem before?
tks
ken
0 Kudos
Reply
17 REPLIES 17
Deshpande Prashant
Honored Contributor

‎09-17-2002 01:02 PM

‎09-17-2002 01:02 PM

Re: Securing root access from xterm

HI
We block root users by checking it in .profile of root user.
####
if [ ${user} = "root" ]
then
if [ ${TTY} != "console" ]
then
echo " : root login allowed only through console..."
echo "ERR ${date} - ${TTY} ${user}-root" >> ${sulog}
exit
fi

##

Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎09-17-2002 01:06 PM

‎09-17-2002 01:06 PM

Re: Securing root access from xterm

Or

echo console > /etc/securetty

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-17-2002 01:13 PM

‎09-17-2002 01:13 PM

Re: Securing root access from xterm

Hi Ken,

This is what I have on this:

Both dtlogin and vuelogin do not refer to the /etc/securetty file
after checking the login information against the /etc/passwd file.
There are several ways to prevent this:

1) To keep root from using the workstation graphics console or xterminal
when vuelogin or dtlogin are running, add the following lines to the
end of either /usr/vue/config/Xstartup (in HP-UX 10.X this would be
/etc/vue/config/Xstartup) or /etc/dt/config/Xstartup (copy over from
/usr/dt/config if the file does not exist in /etc/dt/config) for CDE:

if [ $USER = root ] ; then
exit 1
fi

This will terminate the login process if the user is logging in as
root.

or for all users :

if [ "$USER" != "root" ]; then
exit 1
fi

OR follow the steps in the HP TKB Doc (KBRC00000074):


http://support1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&admit=-682735245+1028645265478+28353475&docId=200000045437203

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
ken_5
Advisor

‎09-17-2002 01:14 PM

‎09-17-2002 01:14 PM

Re: Securing root access from xterm

${user} is not set on my system. The only thing that I have which is close to this is $LOGNAME and it gets changed to "root" when I execute the "su -" command.
0 Kudos
Reply
ken_5
Advisor

‎09-17-2002 01:14 PM

‎09-17-2002 01:14 PM

Re: Securing root access from xterm

echo console > /etc/securetty
will only disable telnet sessions. xterm sessions can still get through.
0 Kudos
Reply
ken_5
Advisor

‎09-17-2002 01:17 PM

‎09-17-2002 01:17 PM

Re: Securing root access from xterm

> echo $USER
sh: USER: Parameter not set.

$USER is not being set in my environment.
0 Kudos
Reply
ken_5
Advisor

‎09-17-2002 01:22 PM

‎09-17-2002 01:22 PM

Re: Securing root access from xterm

$TERM does get set, so I know if someone is connecting from the console, however, I want to allow su to be executed from an xterm session and the profile to be executed.
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎09-17-2002 01:23 PM

‎09-17-2002 01:23 PM

Re: Securing root access from xterm

try echo $LOGNAME

Ted
0 Kudos
Reply
ken_5
Advisor

‎09-17-2002 01:27 PM

‎09-17-2002 01:27 PM

Re: Securing root access from xterm

$LOGNAME gets changed to "root" when you "su -".
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-17-2002 01:27 PM

‎09-17-2002 01:27 PM

Re: Securing root access from xterm

Hi (again) Ken,

Yes, just change $USER to $LOGNAME & you should be good to go.

Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-17-2002 01:31 PM

‎09-17-2002 01:31 PM

Re: Securing root access from xterm

Not sure what you mean by "$LOGNAME gets changed to root when you su."

I thought your question was how to prevent direct CDE or X logins by root.

If you want to restrict su to root - then don't give anyone the root PW......

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Ted Ellis_2
Honored Contributor

‎09-17-2002 01:34 PM

‎09-17-2002 01:34 PM

Re: Securing root access from xterm

can you actually login right now with Hummingbird straight to a root session? I can't.. maybe my syntax is outta whack, but I also notice a file on my servers called 8000.migration that is under /etc/dt/config/Xsessions.d and appears to prevent direct root logins via a root user... do you have that file? And can you access xterm with root user (no su)?
0 Kudos
Reply
ken_5
Advisor

‎09-18-2002 04:30 AM

‎09-18-2002 04:30 AM

Re: Securing root access from xterm

Ted and Jeff
Here is the Command that I use in Xstart to connect to the server.

/usr/bin/X11/xterm -d @D -fn heb8x13 -geometry 100x50-1+1 -fg black -bg lightgray -ls -sb -sl 1000 -title "SERVER NAME"

notice the -ls this tells xterm to execute the "login script" if I leave this option off, or by default, the .profile will not be executed at all and I gain full root access.

Jeff,
On the su issue. The problem was that I did not know weather I could identify where the user is connecting. I can do this with the $TERM and check for the unique term type of my CONSOLE display. So I believe that I can modify .profile to restrict access to the system, but it's really a mute point if the any user has access to the system via xterm. Let me explain further. We have more than one administrator, and I want to force them to connect via the console if connecting as root directly. I guess that it's just not supported. I will probably just setup some type of logging flag in the .profile that will write each root access su or not and it's source Display and terminal type, but of course that can be bypassed by xterm without the -ls.
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎09-18-2002 08:17 AM

‎09-18-2002 08:17 AM

Re: Securing root access from xterm

HI
In my script above, I used
user=`logname`

Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
ken_5
Advisor

‎09-18-2002 09:32 AM

‎09-18-2002 09:32 AM

Re: Securing root access from xterm

Deshpande Prashant
Cool, I needed that command, but it still does not solve the problem of the default operation of xterm being to NOT execute the .profile. Now, xterm is called using rexec, is there something I can do with rexec to make sure it does not allow root access? One thought that I did have was replacing xterm itself with a script that would call a renamed and protected version of the binary, but that seems some how risky to me. :)
tks,
ken
0 Kudos
Reply
Wodisch
Honored Contributor

‎09-18-2002 10:21 AM

‎09-18-2002 10:21 AM

Solution

Re: Securing root access from xterm

Hi Ken,

if you use X-Windows, then your system is NOT secure at all!
Maybe you can tunnel X-Widnows through OpenSSH (works with Reflection/X, should work with Exceed, too).
"xterm" itself is a security-risk, as it can be remote-controlled and be spied-out! USe "hpterm" or "dtterm" at least, these cannot be remote-controlled that easily...
If you use "ssh" then you can configure that to NOT let "root" log in through it!

You will have to stop "XDMCP" access, too...

And I do recommend installing "IPFilter/9000" and block everything you do not need/want on that system (BOTH directions, in and out).

Just my $0.02,
Wodisch
Reply
ken_5
Advisor

‎09-18-2002 10:24 AM

‎09-18-2002 10:24 AM

Re: Securing root access from xterm

Wodisch
That is the 2 cents that I'm looking for, I suspected as much, xterm itself is a security risk and should not be used, you went beyond that and gave me alternatives. Thanks for you help, I'm still very new at this stuff.

:)
ken.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.