Path: utzoo!attcan!uunet!ogicse!ucsd!orion.oac.uci.edu!draco.acs.uci.edu!iglesias From: iglesias@draco.acs.uci.edu (Mike Iglesias) Newsgroups: comp.unix.ultrix Subject: Re: Restricting root access from console Message-ID: <27025A64.8398@orion.oac.uci.edu> Date: 27 Sep 90 20:00:36 GMT References: <37952@eerie.acsu.Buffalo.EDU> Reply-To: Mike Iglesias Organization: University of California, Irvine Lines: 112 Nntp-Posting-Host: draco.acs.uci.edu In article <37952@eerie.acsu.Buffalo.EDU> scarfone@sybil.cs.Buffalo.EDU (Steve Scarfone) writes: > >Is there a method of restricting root access from the console on a >Decstation 2100? Specifically I'm concerned with a user powering down >a worstation and ^Cing the multi-user boot and having root access. > >Removing 'secure' from the console line in /etc/ttys doesn't seem to >solve this particular problem. > >If it makes a difference, the 2100's are running Ultrix V3.1D (Rev. >54). At the end of this message, you'll find something I saved from comp.sys.dec a while back about this subject. Mike Iglesias University of California, Irvine Internet: iglesias@draco.acs.uci.edu BITNET: iglesias@uci uucp: ...!ucbvax!ucivax!iglesias Article 2438 of comp.sys.dec: Xref: orion.oac.uci.edu comp.sys.dec:2438 comp.unix.ultrix:2880 Path: orion.oac.uci.edu!usc!cs.utexas.edu!mailrus!umich!vela!schemers From: schemers@vela.acs.oakland.edu (Roland Schemers III) Newsgroups: comp.sys.dec,comp.unix.ultrix Subject: Re: Single user booting of DECStations and security Summary: this works... Keywords: ultrix 3.0 decstation 2100 3100 security Message-ID: <597@vela.acs.oakland.edu> Date: 5 Apr 90 17:06:28 GMT References: <1990Apr5.123703.2251@maths.tcd.ie> Reply-To: schemers@vela.acs.oakland.edu (Roland Schemers III) Organization: Oakland University, Rochester MI Lines: 74 Hello! The following is a script and a C program that implements the security you are talking about. It stops someone from booting in single user mode as root. To boot single user, you have to give the root's password. I modified to accept another password, just incase the passwd file is corrupt, or you forget the root password!!! ------------------------------------------------------------------------- /* Compile it as : # cc -s -o /etc/chkpas chkpas.c # chmod 700 /etc/chkpas Author: Lucian S. Herscovici - DEC France Description: Checks password validity for the given user (argument #1). If no argument is provided it defaults to ``root'' The return status is 1 if the password is valid 0 otherwise Modified: Roland Schemers, Oakland University Add check for SPECIAL password other than root's. This might be needed if passwd file becomes corrupt.. */ #include #include #include #define SPECIAL "secret" main(argc,argv) int argc; char *argv[]; { static char prompt[80]; static char pwkey[3]; static char *user = "root"; char *pp, *getpass(), *crypt(); struct passwd *getpwnam(), *pw; if (argc>1) user = argv[1]; sprintf(prompt,"Enter %s's password to continue : ",user); if ((pp=getpass(prompt)) == NULL) exit(0); if (strcmp(pp,SPECIAL)==0) exit(1); if ((pw=getpwnam(user)) == NULL) exit(0); strncpy(pwkey,pw->pw_passwd,2); pwkey[2]=0; if (strcmp(crypt(pp,pwkey),pw->pw_passwd)) exit(0); exit(1); } ------------------------------------------------- # @(#).profile ULTRXI/ULTRIX WS # Author : L. Herscovici DEC France # Loop forever until a legal password is typed in trap "" 2 0 while : do if /etc/chkpas then echo 'INCORRECT ** REPEAT PLEASE**' else echo 'CORRECT : Entering command mode' break fi done echo 'erase ^?, kill ^U, intr ^C' stty dec prterase new PATH=/usr/ucb:/bin:/usr/bin:/etc:/usr/local:/usr/new:/usr/hosts:. export PATH trap 2 0 -- Roland J. Schemers III Systems Programmer schemers@vela.acs.oakland.edu (Ultrix) Oakland University schemers@argo.acs.oakland.edu (VMS) Rochester, MI 48309-4401