Re: Restricting a login to the console (summary)

From: Frank W. Peters (peters@cc.msstate.edu)
Date: Tue Apr 17 1990 - 17:32:51 CDT


Hello,

     A few days ago I posted a query about the need to restrict the operator
userid to the system console...while still allowing them to run sunview or
X. I could write a rather trivial c program (mebbe 10 lines total) to
restrict login to the console...but then when sunview started and a
cmdtool or shelltool tried to open it would abort (because the window was
attached to a psuedo tty...such as ttyp0).

     I got several pointers to the secure option in /etc/ttytab. Alas,
this only affects the root login. I don't want my operators (who have
very little UNIX experience) running as root on a regular basis.

     Others pointed out that you can have multiple login names sharing
a common numeric uid. I was aware of this but it has no bearing on my
situation. What my operators will share is the login name. If I could
arrange for them to use individual logins I wouldn't particularly care
about sharing the underlying uid.

      Viktor Dukhovni (viktor@math.Princeton.EDU) hit on the rather
embarrasingly obvious solution to my predicament. I had been assuming
that a command given to shelltool was passed as an argument to the
program given in the passwd entry for that userid. This turns out not
to be the case...that program fires up directly. Thus I can say:

shelltool /bin/csh &

and start up a cshell directly...thus bypassing my passwd defined login
shell completely. In fact, the SHELL environment variable can be set
and that shell will be started by default. So, Now I have login and
su disabled by anywhere but the system console...but ONCE LOGGED ON
they can start up sunview without any problems.

     So, in summary, set the SHELL environment variable to your shell
of choice and disable all remote logins and sus to the userid in question.
It's that simple.

     Thaks to Viktor and to the following people who replied with advice
or sympathy:

"Ric Anderson" <ric@cs.arizona.edu>
sob@tmc.edu (Stan Barber)
mahesh@caradhras.cc.nd.edu (Mahesh Kumar)
lyman@Inference.Com (j.r.lyman)
mark@wilbur.coyote.trw.com (Mark Conrad)
earle@poseur.jpl.nasa.gov (Greg Earle - Sun JPL on-site Software Support)
"Paul B. Davidson" <elmo@sun.soe.clarkson.edu>
Peter Lamb uunet!mcsun!ethz!prl
casper@fwi.uva.nl (Casper H.S. Dik)
Randy Holt <randy@everest.den.mmc.com>
Ken Feuerman <feuerman@symcom.math.uiuc.edu>
kes@gvlf6.GVL.Unisys.COM
sol!richard@sunkist.West.Sun.COM (Richard Seegmiller)
Brent Chapman <chapman@parc.xerox.com>
dmorse@sun-valley.Stanford.EDU (Dennis Morse)
<LEWIS%AERA2.dnet@saint.mitre.org> "Keith Lewis"
martin@molndal.ericsson.se
Len Evens <sysadm@gauss.math.nwu.edu>
era@niwot.scd.ucar.EDU

--Frank

Frank W. Peters Systems Programmer Computing Center & Services
peters@CC.MsState.Edu Peters@MsState.Bitnet (601)325-2942
"I can't give you brains, but I can give you a diploma." -- The Wizard of OZ



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:05:57 CDT