Re: How to Restrict a user, not a root, Login to the Console?

From: Reg Quinton (reggers_at_ist.uwaterloo.ca)
Date: 07/30/04

  • Next message: Charles Heselton: "Re: syslog logging"
    To: <cristina.villegas@itece.es>, <focus-sun@securityfocus.com>
    Date: Fri, 30 Jul 2004 10:58:32 -0400
    
    

    This is a bit of a quick and dirty hack but I've used it before to control
    logins and it works well enough. I'll give you the strategy and some rough
    code for you to polish....

    Assuming that you have things like rsh and ftp disabled (they are awfully
    hard to control) *and* that the only way for the target user to get into
    the system is through a login session (from getty, SSH, telnet, rlogin, or
    etc) *and* that you only allow the usual shells as login shells then
    configure /etc/profile (and /etc/.login) to detect login to the restricted
    account and make sure the user is not the user logged in on the tty.

    You'd think that you'd only run /etc/profile (/etc/.login) at login ...
    don't trust that.

    You'd think that $USER and $LOGNAME would be enough to test... you need to
    be more robust. Don't trust those variables.

    The person who last logged in on this terminal is ((that should be $LOGNAME
    ... but don't trust that):

    last -1 `tty | sed 's/.dev.//'`| awk '{print $1}'

    If you've done a su then your current userid is different from the person
    who is logged in on the tty. Your current userid is (that should be $USER
    ... but don't trust that)

    id | sed -e 's/).*//' -e 's/.*(//'

    Combining all of that try adding this to the end of /etc/profile (and
    something similar for /etc/.login):

        USER=`id | sed -e 's/).*//' -e 's/.*(//'`

        if [ "$USER" = "oracle" ]; then
            TTY=`tty | sed 's/.dev.//'
             LOGNAME=`last -1 $TTY | awk '{print $1}'`
            if [ "$USER" = "$LOGNAME" ]; then
                    gripe, syslog it and exit PDQ.
            fi
        fi

    A malicious user can if they time it just right ^C out of the /etc/profile
    (/etc/.login) but this should catch most of them. All you're trying to do
    is catch your DBA's breaking policy.

    I hope this helps.


  • Next message: Charles Heselton: "Re: syslog logging"

    Relevant Pages

    • Re: Windows 2003 Federated Forst Trust
      ... is it a forest trust or an external trust? ... so you are trying to logon with the UPN and not with the samaccountname? ... But user@xxxxxxxxxxx can't login into domainB.com from either workstation ... I was testing with a test user that belongs to Domain A and trying ...
      (microsoft.public.windows.server.active_directory)
    • Re: Loginproblems between two trusted domains NT4 <-> AD
      ... It sounds like you have a 1 way trust, if you are stating that you can login ... > I tried to login from a client in AD with a NT4 account and it responded ...
      (microsoft.public.windows.server.active_directory)
    • Re: WINS Push/Pull between NT4 and 2K
      ... > WINS server. ... > domain to be able to login into their DC from any of our sites. ... then an explicity trust from the MACHINE domain to the ACCOUNT ... Herb Martin "Kevin" wrote in message ...
      (microsoft.public.win2000.dns)
    • Re: Trust between domain
      ... if the user from domain-A need to login to domainA and DomainB,I should ... setup a oneway trust on which domain controller, ... users from DOMAIN_A to logon to clients from DOMAIN_A and DOMAIN_B? ... on a server or client you will be able to logon locally or to the ...
      (microsoft.public.windows.server.active_directory)
    • Re: Trust between domain
      ... if the user from domain-A need to login to domainA and DomainB,I should ... setup a oneway trust on which domain controller, ... users from DOMAIN_A to logon to clients from DOMAIN_A and DOMAIN_B? ... on a server or client you will be able to logon locally or to the ...
      (microsoft.public.windows.server.active_directory)