Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site sunybcs.UUCP
Path: utzoo!utcs!lsuc!pesnta!amd!dual!sunybcs!loverso
From: loverso@sunybcs.UUCP (John Robert LoVerso)
Newsgroups: net.unix-wizards
Subject: Re: Re: UNIX source vs. binary (NOT A LEGAL ARGUMENT)
Message-ID: <1166@sunybcs.UUCP>
Date: Sun, 17-Feb-85 13:11:32 EST
Article-I.D.: sunybcs.1166
Posted: Sun Feb 17 13:11:32 1985
Date-Received: Mon, 18-Feb-85 09:43:59 EST
References: <7982@brl-tgr.ARPA> <97@timeinc.UUCP> <440@down.FUN>
Organization: State University of New York @ Buffalo,NY
Lines: 24

> In article <97@timeinc.UUCP> jim@timeinc.UUCP (Jim Scardelis) writes:
> >I would *really* like to be able to customize login.c so that dialup logins
> >from 'root' are disallowed...but I can't.
> 
> here's down!/.profile, written by pat parseghian, bowdlerized by me:
>	trap exit 1 2 3 15
>	if [ "`tty`" != "/dev/console" ]
>	then
>		echo "root must log in on the console"
>		exit 1
>	fi
>	trap 1 2 3 15
> there is probably a narrow window of vulnerability here.  

Why not make the above the login shell of root, and at the end have it
run /bin/sh or /bin/csh as you please?
I've found that a shell (sh or csh) script thats somebodies login shell can't be
stopped or broken out of w/o logging the person out.  Therefore, the "window
of vulnerability" is removed.

	John
--
John Robert LoVerso @ SUNY Buffalo (716-636-3004)
LoVerso%Buffalo@CSNET-RELAY  -or-  ..!{decvax,watmath|rocksanne}!sunybcs!loverso