SUMMARY: Restricting Root Access (more selectively)

From: Lenny Turetsky (lturetsk@econ.yale.edu)
Date: Sat Feb 04 1995 - 12:05:46 CST


First, my thanks to:

"Brian T. Wightman" <wightman@sol.acs.uwosh.edu>
peter.allan@aea.orgn.uk (Peter Allan)
Steve Elliott <se@comp.lancs.ac.uk>
covingto@msmary.edu (Michael Covington)

one of whom chastised me for not having RTFM'ed (R'ed TFM?). Well, I
had RTFMs, but it didn't make it very clear (insert lengthy discussion
on the helpfulness of man pages in general and Sun's in particular).
Normally I can figure out what I need to from man pages, but they
weren't too clear on this issue.

Basically, what it comes down to is that labelling a (non-console) tty
insecure in /etc/ttytab will prevent root from logging into it w/a
passwd, but will not prevent rsh/rlogin via /.rhosts. I don't think
this applying to Solaris.

BTW, labelling console insecure won't keep someone w/the root passwd
from logging in on it -- it will simply force the use of the root
password to gain access in single-user mode.

One person seemed to be opposed to the restrictions out of concern
about what I would do if there are network problems. True, it would
make things somewhat more difficult for me, but the security advantage
exceeds the ease-of-administration issue here.

Thanks again,
LT

PS Here's the original question:

> To: Sun Managers <sun-managers@ra.mcs.anl.gov>
> Subject: Restricting Root Access (more selectively)
>
> Is there a way to disable all root logins unless they are rsh'ed from
> a machine in /.rhosts?
>
> What I mean is, I don't want anyone to be able to login as root neither
> on the console, a local terminal, nor on a network line (except if
> they're rsh'ing from a "friendly" machine).
>
> Can this be done?
>
> TIA,
> LT

 ,-----------------------------------------------------.
 | Yale Economics Dep't | Lenny Turetsky |
 | System Administrator | lturetsk@econ.yale.edu |
 |-------------------------+---------------------------|
 | My employers paid for some of my time and energy. |
 | My opinions were never for sale. |
 `-----------------------------------------------------'



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:15 CDT