Re: Restricting root

From: Stephen Spalding (ssaixadm@YAHOO.COM)
Date: Thu Jul 03 2003 - 12:51:23 EDT

Thank you Simon, respectfully. I will look into this
some more this afternoon.

--- "Green, Simon" <Simon.Green@EU.ALTRIA.COM> wrote:
> rlogin=false will prevent any sort of network login;
> telnet, rsh without a
> command.
> login=true means that root is allowed to login
> directly. (These are the
> parameters for the chuser command.)
>
> In combination, that would prevent someone logging
> in with root via telnet:
> they'd have to use another userid then su. But it
> will permit a login if it
> is not remote, so it would let root login directly
> on the console. It would
> ALSO let root log in directly on any old-fashioned
> serial terminals you may
> have. If you don't have any, then this will do what
> you want.
>
> chuser login=true rlogin=false ttys=ALL root
>
>
> If you DO have other terminals, besides the actual
> console, then I don't
> know how you do this easily.
>
> Simon Green
> Altria ITSC Europe Ltd
>
> AIX-L Archive at
> http://marc.theaimsgroup.com/?l=aix-l&r=1&w=2
> AIX FAQ at http://www.faqs.org/faqs/aix-faq/
>
> N.B. Unsolicited email from vendors will not be
> appreciated.
>
> > -----Original Message-----
> > From: Stephen Spalding [mailto:ssaixadm@YAHOO.COM]
> > Sent: 03 July 2003 16:37
> > To: aix-l@Princeton.EDU
> > Subject: Re: Restricting root
> >
> >
> > I kind of don't follow what you're saying.
> >
> > I want root to be able to log in directly from the
> > console. I don't want root to be able to log in
> > directly from anywhere else. Setting /dev/tty0 in
> > 'Valid TTYS' makes it so that no one can su to
> root
> > from anywhere but the console.
> >
> >
> > --- "Green, Simon" <Simon.Green@EU.ALTRIA.COM>
> wrote:
> > > Do you have other terminals attached to this
> system,
> > > then?
> > > If not, then simply login=true,rlogin=false.
> > >
> > > Simon Green
> > > Altria ITSC Europe Ltd
> > >
> > > AIX-L Archive at
> > > http://marc.theaimsgroup.com/?l=aix-l&r=1&w=2
> > > AIX FAQ at http://www.faqs.org/faqs/aix-faq/
> > >
> > > N.B. Unsolicited email from vendors will not be
> > > appreciated.
> > >
> > > > -----Original Message-----
> > > > From: Stephen Spalding
> [mailto:ssaixadm@YAHOO.COM]
> > > > Sent: 03 July 2003 16:24
> > > > To: aix-l@Princeton.EDU
> > > > Subject: Restricting root
> > > >
> > > >
> > > > All,
> > > >
> > > > I want to restrict the root user so that the
> > > admins
> > > > must log in with their own userids first and
> then
> > > 'su
> > > > -' to root. I want it so that root cannot
> directly
> > > > telnet to the box. The catch is that I want
> root
> > > to be
> > > > able to log in directly from the console.
> > > >
> > > > I know that setting the 'User can LOGIN
> REMOTELY?'
> > > > field to false for root takes care of my first
> > > issue.
> > > > I then can create individual ids for my admins
> and
> > > > also create an 'SU GROUP' for them to be a
> part
> > > of.
> > > >
> > > > I've tried setting 'Valid TTYs' to /dev/tty0,
> but
> > > that
> > > > completely restricts root access to the
> console,
> > > which
> > > > is tighter than what I want.
> > > >
> > > > Does anyone know how to do this?
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! DSL - Now only $29.95 per month!
> > http://sbc.yahoo.com
> >

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:59 EDT