Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!ames!nrl-cmf!cmcl2!adm!nlm-mcs!vax2.nlm.nih.gov!mjr
From: mjr@vax2.nlm.nih.gov.nlm.nih.gov (Marcus J. Ranum)
Newsgroups: comp.unix.wizards
Subject: Re: Preventing users to boot VS2000 to single user
Message-ID: <8340@nlm-mcs.arpa>
Date: 2 Nov 88 03:00:18 GMT
References: <354@eurtrx.UUCP> <670030@hpclscu.HP.COM>
Sender: nobody@nlm-mcs.arpa
Reply-To: mjr@vax2.nlm.nih.gov (Marcus J. Ranum)
Organization: Institute For Felinographical Studies
Lines: 18

In article <670030@hpclscu.HP.COM> shankar@hpclscu.HP.COM (Shankar Unni) writes:
>> running Ultrix. The Stations have their own system disk. I want to
>> prevent the users of the stations to boot their system single user.

	I kludge I used to do on Suns was to fix /etc/init so that is does not
fork off single user shells, but rather forks off a /bin/login. The shell name
to use is #defined at the top, and changing that breaks a lot of stuff, but
there is a function, singlesh() I think it is, that starts the singleuser
shell. Of course, after I did this on some of our systems I noticed some
undocumented stuff that led me to believe that there was a way to tell it
to boot a different init. Of course, a user could still boot off a kernel
they stashed in /tmp, or a standalone copy, or whatever. This was not a
fix, simply another level of difficulty to add for the potential cracker
to overcome.

	I don't think there is really anything you can do if you haven't
got the hardware secure. At that level there are too many holes.

--mjr();