SUMMARY: How to prevent Root login via Xterm

From: Christopher D. Croad (croadc@rl.af.mil)
Date: Fri Jan 30 1998 - 08:05:24 CST


        Original question at the end of this posting. Many responses to the
question, too many to mention. Most of them were some flavor of commenting
out the CONSOLE=/dev/console in /etc/default/login, but this was not the
solution. Doing this restricts a direct root telnet, but not a root Xsession.

        The working solution came from Richard Hellier <rlh@lsil.com>, with a
flavor of the same solution from Antonia Gomez <antonia@fib.upc.es>. Also
thanks to "Mr.Venkat D" <venki21@hotmail.com>, who offered additional help
via e-mail, although I did not have the time yesterday to respond to him.
I appreciate the offer!

>From Richard Hellier <rlh@lsil.com>

        To prevent root login via the main CDE login screen, do the following:

        (i) make the directory:

                        /etc/dt/config/Xsession.d

        (ii) copy the enclosed file to 0099.norootlogin
                in that directory (set modes 555 on the file).
                There is a commented out line in the file
                that you can use to enable logging should
                you need it.

Good Luck!

Richard.

------------ here's the file 0099.norootlogin -----------------
#!/bin/ksh
#####################################################################
### File: 0099.norootlogin
###
### Default Location: /usr/dt/config/Xsession.d/
###
### Purpose: Prevent root login via CDE
###
### Description:
### This script is invoked by means of the Xsession
file
### at user login. It prevents a login by "root".
###
### Invoked by: /usr/dt/bin/Xsession
###
### Product: @(#)Common Desktop Environment 1.0
###
### Note:
###
### Revision: RLH 30 Jan 1998
#####################################################################

if [ "${USER}" = root ]
then {
        # echo attempted root login via CDE at `date` >>
/var/badroot.log
        exit 0
} fi

########################## eof #####################

Original Question....
>
> I posted a question earlier this AM regarding logging directly into a
>system as root via an X session.
>
> I need to be a little clearer. Most of the responses, and thank-you
by
>the way for replying, have told me to make sure the CONSOLE line in
>/etc/default/login is not commented out.
>
> The above solution is fine for telnet sessions to the host, but it
does
>not seem to have any bearing on Xing into a CDE session. All of our
>systems have CONSOLE commented out, but still on some systems, a user
using
>Xceed can start a CDE login screen, and go directly to root.
>
> Still looking for the solution....
#######################################################
Christopher D. Croad "The Unix World is Heliocentric"
Litton PRC Fore Systems Certified LAN Admin
RRS/IFOS
Enterprise Operations



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:30 CDT