Re: Restricting root

From: Green, Simon (Simon.Green@EU.ALTRIA.COM)
Date: Thu Jul 03 2003 - 12:38:05 EDT

• Next message: Renison, Rick: "Re: re-sends"
• Previous message: Clifton, Pablo: "Re: Getting Jumbo Frames to work on a p630"
• Maybe in reply to: Stephen Spalding: "Restricting root"
• Next in thread: Stephen Spalding: "Re: Restricting root"
• Reply: Stephen Spalding: "Re: Restricting root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

rlogin=false will prevent any sort of network login; telnet, rsh without a
command.
login=true means that root is allowed to login directly. (These are the
parameters for the chuser command.)

In combination, that would prevent someone logging in with root via telnet:
they'd have to use another userid then su. But it will permit a login if it
is not remote, so it would let root login directly on the console. It would
ALSO let root log in directly on any old-fashioned serial terminals you may
have. If you don't have any, then this will do what you want.

chuser login=true rlogin=false ttys=ALL root

If you DO have other terminals, besides the actual console, then I don't
know how you do this easily.

Simon Green
Altria ITSC Europe Ltd

AIX-L Archive at http://marc.theaimsgroup.com/?l=aix-l&r=1&w=2
AIX FAQ at http://www.faqs.org/faqs/aix-faq/

N.B. Unsolicited email from vendors will not be appreciated.

> -----Original Message-----
> From: Stephen Spalding [mailto:ssaixadm@YAHOO.COM]
> Sent: 03 July 2003 16:37
> To: aix-l@Princeton.EDU
> Subject: Re: Restricting root
>
>
> I kind of don't follow what you're saying.
>
> I want root to be able to log in directly from the
> console. I don't want root to be able to log in
> directly from anywhere else. Setting /dev/tty0 in
> 'Valid TTYS' makes it so that no one can su to root
> from anywhere but the console.
>
>
> --- "Green, Simon" <Simon.Green@EU.ALTRIA.COM> wrote:
> > Do you have other terminals attached to this system,
> > then?
> > If not, then simply login=true,rlogin=false.
> >
> > Simon Green
> > Altria ITSC Europe Ltd
> >
> > AIX-L Archive at
> > http://marc.theaimsgroup.com/?l=aix-l&r=1&w=2
> > AIX FAQ at http://www.faqs.org/faqs/aix-faq/
> >
> > N.B. Unsolicited email from vendors will not be
> > appreciated.
> >
> > > -----Original Message-----
> > > From: Stephen Spalding [mailto:ssaixadm@YAHOO.COM]
> > > Sent: 03 July 2003 16:24
> > > To: aix-l@Princeton.EDU
> > > Subject: Restricting root
> > >
> > >
> > > All,
> > >
> > > I want to restrict the root user so that the
> > admins
> > > must log in with their own userids first and then
> > 'su
> > > -' to root. I want it so that root cannot directly
> > > telnet to the box. The catch is that I want root
> > to be
> > > able to log in directly from the console.
> > >
> > > I know that setting the 'User can LOGIN REMOTELY?'
> > > field to false for root takes care of my first
> > issue.
> > > I then can create individual ids for my admins and
> > > also create an 'SU GROUP' for them to be a part
> > of.
> > >
> > > I've tried setting 'Valid TTYs' to /dev/tty0, but
> > that
> > > completely restricts root access to the console,
> > which
> > > is tighter than what I want.
> > >
> > > Does anyone know how to do this?
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>

• Next message: Renison, Rick: "Re: re-sends"
• Previous message: Clifton, Pablo: "Re: Getting Jumbo Frames to work on a p630"
• Maybe in reply to: Stephen Spalding: "Restricting root"
• Next in thread: Stephen Spalding: "Re: Restricting root"
• Reply: Stephen Spalding: "Re: Restricting root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:59 EDT