Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!romp!auschs!awdprime!greenber.austin.ibm.com!jfh From: jfh@greenber.austin.ibm.com (John F Haugh II) Newsgroups: comp.unix.aix Subject: Re: root restrictions Message-ID: <8464@awdprime.UUCP> Date: 13 Jun 91 22:37:16 GMT References: <1991Jun12.180648.27815@bnlux1.bnl.gov> Sender: news@awdprime.UUCP Organization: Best Care South of the Red River, LCC, Austin, Republic of Texas Lines: 48 In article <1991Jun12.180648.27815@bnlux1.bnl.gov> como@max.bnl.gov (Andrew T. Como) writes: >I need a mechanism to restrict root logins to the console. > >If I change the user characteristics "valid TTYs" to the console >you can only "su" to "root" from the console. (this is not practical) > >I have submitted a system change request to IBM and they refused. > >Can anyone give me advice on a work around? The information you are looking for is documented with the system security features. What you want is an authentication method that will allow you to specify that the method only runs on the console (the easy way) or that there is a file containing user/port mappings. First the easy way ... --- iscon.c --- main () { char *cp; if ((cp = ttyname (0)) && strcmp (cp, "/dev/console") == 0) exit (0); else exit (1); } --- Compile that command and store it in /etc as /etc/iscon. It should be executable by everyone - mode 555. Now, in the file /etc/security/user, make the "auth1" attribute in the root stanza have the value "auth1 = CONSOLE;SYSTEM". Then edit the file /etc/security/login.cfg and added the stanza CONSOLE: program = /etc/iscon Now root is able to login only on the console. DISCLAIMER: I've not tried this, but I did work on the code that implements the security features and this =should= work. I don't make any guarantees about this working, and none should be inferred. -- John F. Haugh II | I've Been Moved | MaBellNet: (512) 838-4340 SneakerNet: 809/1D064 | AGAIN ! | VNET: LCCB386 at AUSVMQ BangNet: ..!cs.utexas.edu!ibmchs!auschs!snowball.austin.ibm.com!jfh (e-i-e-i-o)