SUMMERY: Single user security on DEC workstations.
Yedidya Israel
yedidya at bimacs.BITNET
Mon Sep 4 22:04:58 AEST 1989
In a previous article I asked:
>
>We have a few workstation of DEC running Ultrix3.0 with DECwindows.
>
>In order to prevent users from having root privileges (via b/2 on
>console) we put an "exec /bin/login" in /.profile.
>
Thanks to all of those who replied, these are the answers I got:
From: Amos Shapir <amos at taux01.nsc.com<
You have encountered DEC's rather clumsy attempt to prevent root from
logging in, but that's the general idea: 'login root' is out, long
live 'su'. The principle is that since 'su's are registered, you could
always find out who used the root account.
--
Amos Shapir amos at taux01.nsc.com or amos at nsc.nsc.com
National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522261 TWX: 33691, fax: +972-52-558322
34 48 E / 32 10 N (My other cpu is a NS32532)
From: prl%iis.UUCP at cernvax
Date: 25 Aug 89 9:58 +0200
This may not give you the protection that you hope. Try booting the machine
and leaning on |C just before it starts the login shell; or leaning
on |C while it's doing fsck in multiuser.
Sun has changed init so that if console is set as non-secure in ttys,
then `/bin/login root' is run instead of /bin/sh in single-user mode.
Unfortunately, for the sufficiently subtle, this is no hinderance anyway.
I can send more details to postmaster or root on your machine, including
DEC's most unsatisfactory response. Fortunately, we don't have
any DEC workstations.
Replys to ...!uunet!mcvax!ethz!prl, prl at ethz.uucp, and prl at iis.ethz.ch
should work, depending on the mood of your mailer.
If you are running Ultrix 3.0, you should turn off setuid on /bin/login
or install 3.1 right now, if you are at all interested in security.
--
Peter Lamb
uucp: uunet!mcvax!ethz!prl eunet: prl at ethz.uucp Tel: +411 256 5241
Integrated Systems Laboratory
ETH-Zentrum, 8092 Zurich
From: Carl-Lykke Pedersen <carllp at diku.dk>
We use the following program (called /.lockup) and calls it from
/.profile
It is not completly secure, but I hope you can use it.
Regards
Carl-Lykke
/* Written by Bruce G. Barnett <barnett at ge-crd.arpa> */
#include <stdio.h>
#include <signal.h>
#include <pwd.h>
struct passwd *pwd;
struct passwd *getpwuid();
char *strcpy();
char *crypt();
char *getpass();
char *pw;
char pwbuf[10];
char *rootpw = "DEFAULT_CRYPTED_PASSWD";
#define MESSAGE() fprintf(stderr, "\n\007\007\n%s\n%s\n%s\n%s\n\n", \
"***********************************************************", \
"*** THE SYSTEM IS IN AN INCONSISTENT STATE ***", \
"*** PLEASE, CONTACT THE COMPUTER DEPARTMENT IMMEDIATELY ***", \
"***********************************************************")
main()
{
int msg = 0;
signal(SIGINT, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
/* Get the password entry for root */
/* use 0 if you want to hard-wire the passwd for root */
/* else use getuid() */
pwd=getpwuid(0);
if (pwd != NULL)
rootpw = pwd->pw_passwd;
while (1) {
if (msg++ % 5 == 0)
MESSAGE();
strcpy(pwbuf,getpass("Password:"));
pw = crypt(pwbuf, rootpw);
if (strcmp(pw, rootpw) == 0)
exit(0);
}
}
From: barnett at unclejack.crd.ge.com (Bruce Barnett)
We used to do this until it corrupted our file systems.
If a system crashed, and rebooted, and it could not automatically
repair the disks, it would go into single user mode.
When it executed login, it would wait for a password, not get one,
and terminated. Then the system would continue the reboot, going
into multi-user mode WITHOUT REPAIRING THE DISK!
Eventually the disk became very corrupted and we lost a lot of files.
My solution was to run a program lock.c instead of login:
lock.c:
#include <stdio.h>
#include <signal.h>
#include <pwd.h>
struct passwd *pwd;
struct passwd *getpwuid();
char *strcpy();
char *crypt();
char *getpass();
char *pw;
char pwbuf[10];
main()
{
signal(SIGINT, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
/* get the password entry for root */
/* use 0 if you want to hard-wire the passwd for root */
/* else use getuid() */
pwd=getpwuid(getuid());
if (pwd == NULL )
(void) fprintf(stderr,"Cannot get password entry for root");
while ( 1) { /* forever */
(void) strcpy(pwbuf,getpass("Password:"));
pw = crypt(pwbuf, pwd->pw_passwd);
if (strcmp(pw,pwd->pw_passwd) == 0 ) {
return(0);
}
}
}
--
Bruce G. Barnett <barnett at crd.ge.com> uunet!crdgw1!barnett
--
| Israel Yedidya, Math & CS Department, Bar-Ilan U, Ramat-Gan, ISRAEL. |
+----------------------------------------------------------------------+
| Bitnet: yedidya at bimacs |
| Internet: yedidya at bimacs.biu.ac.il |
| Arpa: yedidya%bimacs.bitnet at cunyvm.cuny.edu |
| Uucp: ...!uunet!mcvax!humus!bimacs!yedidya |
| Csnet: yedidya%bimacs.bitnet%cunyvm.cuny.edu at csnet-relay |
\----------------------------------------------------------------------/
\--- If someone proves there is no God, I'll stop being religious ---/
--------------------------------------------------------------------
More information about the Comp.unix.wizards
mailing list