Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!emory!gatech!prism!gs26
From: gs26@prism.gatech.EDU (Glenn R. Stone)
Newsgroups: comp.unix.aix
Subject: Re: root restrictions
Message-ID: <31319@hydra.gatech.EDU>
Date: 13 Jun 91 19:43:23 GMT
References: <1991Jun12.180648.27815@bnlux1.bnl.gov> <8439@awdprime.UUCP>
Organization: Dead Poets Society
Lines: 34

In <8439@awdprime.UUCP> shaggy@kleikamp.austin.ibm.com (David J. Kleikamp) writes:

>In article <1991Jun12.180648.27815@bnlux1.bnl.gov> como@max.bnl.gov (Andrew T. Como) writes:
>>I need a mechanism to restrict root logins to the console.

>>If I change the user characteristics "valid TTYs" to the console 
>>you can only "su" to "root" from the console. (this is not practical)

>Okay, I'll ask.

>What good is it to restrict root logins to the console if you do allow other
>users to su to root from other TTY's?

It means that you have two levels of security.... you have to either
crack another account or get in the machine room door before getting
a shot at root.  

>Anyway, one way of doing this would be to write your own authentication
>method.  I've never done this myself, but you define the authentication
>methods in the /etc/security/login.cfg file.

Sounds like the best way to go to me....
somethng like (pseudocode follows)

   if (I'm on the console) or (root does NOT own my tty (i.e. I'm su'ed))
      exit successfully 
   else
      rant, rave, raise red flags
   endif

should work.... I assume there's TFM on secondary authentication methods....

-- Glenn R. Stone
gs26@prism.gatech.edu