root restrictions

Glenn R. Stone gs26 at prism.gatech.EDU
Fri Jun 14 05:43:23 AEST 1991


In <8439 at awdprime.UUCP> shaggy at kleikamp.austin.ibm.com (David J. Kleikamp) writes:

>In article <1991Jun12.180648.27815 at bnlux1.bnl.gov> como at max.bnl.gov (Andrew T. Como) writes:
>>I need a mechanism to restrict root logins to the console.

>>If I change the user characteristics "valid TTYs" to the console 
>>you can only "su" to "root" from the console. (this is not practical)

>Okay, I'll ask.

>What good is it to restrict root logins to the console if you do allow other
>users to su to root from other TTY's?

It means that you have two levels of security.... you have to either
crack another account or get in the machine room door before getting
a shot at root.  

>Anyway, one way of doing this would be to write your own authentication
>method.  I've never done this myself, but you define the authentication
>methods in the /etc/security/login.cfg file.

Sounds like the best way to go to me....
somethng like (pseudocode follows)

   if (I'm on the console) or (root does NOT own my tty (i.e. I'm su'ed))
      exit successfully 
   else
      rant, rave, raise red flags
   endif

should work.... I assume there's TFM on secondary authentication methods....

-- Glenn R. Stone
gs26 at prism.gatech.edu



More information about the Comp.unix.aix mailing list