Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!decwrl!labrea!rutgers!tut.cis.ohio-state.edu!cwjcc!hal!ncoast!allbery
From: allbery@ncoast.UUCP (Brandon S. Allbery)
Newsgroups: comp.unix.wizards
Subject: Re: NFS security
Message-ID: <12559@ncoast.UUCP>
Date: 14 Sep 88 23:00:05 GMT
References: <126@leibniz.UUCP> <670028@hpclscu.HP.COM> <1394@basser.oz> <1202@luth.luth.se> <66897@sun.uucp> <14186@comp.vuw.ac.nz>
Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery)
Followup-To: comp.unix.wizards
Organization: Cleveland Public Access UN*X, Cleveland, Oh
Lines: 25

As quoted from <14186@comp.vuw.ac.nz> by duncan@comp.vuw.ac.nz (Duncan McEwan):
+---------------
| One partial solution to both of these problem for machines that can be
| accessed by people you don't trust, is to make it harder to become root
| on those machines.  I think SunOS 4.0 can be configured to require the
| superuser password before coming up in single user mode.  Of course,
| there may be many other ways of becomming root on the workstation that
| this doesn't protect against, but at least it blocks off one of the
| easiest.  Do any other workstation vendors provide this protection?
+---------------

Xenix has done this for years; which may become relevant with the advent of
an RFS version of Xenix (and maybe an NFS version will be in the works;
we'll have to see which one becomes dominant).

System V can be configured with a line "initdefault:2:" in /etc/inittab
which forces it to come up directly into multi-user mode (RFS-ites may want
"initdefault:3:" instead).  If this is done the only way to get into single-
user mode is to log in as root and do a "telinit s".

++Brandon
-- 
Brandon S. Allbery, uunet!marque!ncoast!allbery			DELPHI: ALLBERY
	    For comp.sources.misc send mail to ncoast!sources-misc
"Don't discount flying pigs before you have good air defense." -- jvh@clinet.FI