Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!elroy!judy!stevo
From: stevo@judy.Jpl.Nasa.Gov (Steve Groom)
Newsgroups: comp.unix.wizards
Subject: Re: Booting SunOS 4.0 singlu user (was Re: NFS security)
Keywords: NFS, mknod
Message-ID: <9182@elroy.Jpl.Nasa.Gov>
Date: 8 Sep 88 19:09:12 GMT
References: <126@leibniz.UUCP> <670028@hpclscu.HP.COM> <1394@basser.oz> <1202@luth.luth.se> <66897@sun.uucp> <14186@comp.vuw.ac.nz> <3168@emory.uucp> <12397@duke.cs.duke.edu>
Sender: news@elroy.Jpl.Nasa.Gov
Reply-To: stevo@jane.jpl.nasa.gov (Steve Groom)
Organization: Image Analysis Systems Grp, JPL
Lines: 23

In article <12397@duke.cs.duke.edu> ndd@romeo.UUCP (Ned D. Danieley) writes:
>If I understand what you've described, the only way to protect a
>workstation from someone booting it single user is to deny root
>the ability to log in on that workstation. Doesn't sound very elegant
>to me.

But it only denies them the ability to *log in* as root.  It doesn't
stop you from using su to become root, which I view as preferable to
logging in as root anyway.  As a policy, we use su instead of logging
in as root.  We haven't enforced it completely by turning of 'secure',
but we've thought about it.

The reason is simple.  Su leaves a better trail around, telling you who
that really was.  If all you have is the fact that root logged in on
ttyx at nn:nn:nn, that doesn't tell you anything about who it might
have been that did it.

Sounds pretty elegant to me.

-steve
/* Steve Groom, Jet Propulsion Laboratory, Pasadena, CA 91109
 * Internet: stevo@elroy.jpl.nasa.gov   UUCP: {ames,cit-vax}!elroy!stevo
 * Disclaimer: (thick German accent) "I know noothingg! Noothingg!"
 */