HPE Community
Operating System - HP-UX
1825643 Members
3532 Online
109684 Solutions
New Discussion

Re: UNIX high authorization profiles are restricted to physically secured devices.

 
SOLVED
Go to solution
Pat Limaco
Occasional Contributor

‎03-17-2003 11:37 PM

‎03-17-2003 11:37 PM

UNIX high authorization profiles are restricted to physically secured devices.

HOw can you restrict important profiles such as "root" to have direct logon only from the console?

My program states I should examine the "etc/default/login" for the "CONSOLE=/dev/console" entry. However the system said no such file exists. Does this mean etc/default/login first needs to be manually created?

I'd appreciate your responses. thanks and best regards.
I'm always giving my best shot
0 Kudos
Reply
5 REPLIES 5
Balaji N
Honored Contributor

‎03-17-2003 11:41 PM

‎03-17-2003 11:41 PM

Re: UNIX high authorization profiles are restricted to physically secured devices.

hi
creste the securetty file in /etc directory and the terminal entries from which root can login directly.

echo "console" > /etc/securetty.


now root can login directly only from the console. note that a user can login and then switch to root still.

hth
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
Reply
Pat Limaco
Occasional Contributor

‎03-17-2003 11:53 PM

‎03-17-2003 11:53 PM

Re: UNIX high authorization profiles are restricted to physically secured devices.

Thanks alot, that helped me understand things better. just a follow up, does this mean i have to put the "root console" entry into the etc/securetty file. =)
I'm always giving my best shot
0 Kudos
Reply
Balaji N
Honored Contributor

‎03-17-2003 11:58 PM

‎03-17-2003 11:58 PM

Solution

Re: UNIX high authorization profiles are restricted to physically secured devices.

no. just the terminal names from where root is allowed to login. this file is used only for user root.
++++snipped from the login man page++++++++
If the /etc/securetty file is present, login security is in effect.
Only user root is allowed to log in successfully on the ttys listed in
this file. Restricted ttys are listed by device name, one per line.
Valid tty names are dependent on the installation. An example is

console
tty01
ttya1
etc.

Note that this feature does not inhibit a normal user from using the
su command (see su(1)).
+++++++++++++++++

man login for more info.

hth
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
Reply
doug hosking
Esteemed Contributor

‎03-19-2003 01:41 AM

‎03-19-2003 01:41 AM

Re: UNIX high authorization profiles are restricted to physically secured devices.

Balaji, /etc/default/security entries on newer (11.11 and later, I think) versions of HP-UX can help with the su case. Quoting from security(4):

SU_ROOT_GROUP
This parameter defines the root group name for the su command. Refer to su(1).

SU_ROOT_GROUP=group_name
The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a
member of the specified root group to be allowed to su to root. This does not alter password checking.

Default value: If this parameter is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to su to root without being bound by root group restrictions.
0 Kudos
Reply
Balaji N
Honored Contributor

‎03-19-2003 02:17 AM

‎03-19-2003 02:17 AM

Re: UNIX high authorization profiles are restricted to physically secured devices.

thanks for the update Doug.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.