Re: How to Restrict a user, not a root, Login to the Console?

• Previous message: Myers, Mike: "RE: How to Restrict a user, not a root, Login to the Console?"
• Maybe in reply to: Rex Monty di Bona: "Re: How to Restrict a user, not a root, Login to the Console?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <cristina.villegas@itece.es>, <focus-sun@securityfocus.com>
Date: Fri, 30 Jul 2004 10:58:32 -0400

This is a bit of a quick and dirty hack but I've used it before to control
logins and it works well enough. I'll give you the strategy and some rough
code for you to polish....

Assuming that you have things like rsh and ftp disabled (they are awfully
hard to control) *and* that the only way for the target user to get into
the system is through a login session (from getty, SSH, telnet, rlogin, or
etc) *and* that you only allow the usual shells as login shells then
configure /etc/profile (and /etc/.login) to detect login to the restricted
account and make sure the user is not the user logged in on the tty.

You'd think that you'd only run /etc/profile (/etc/.login) at login ...
don't trust that.

You'd think that $USER and $LOGNAME would be enough to test... you need to
be more robust. Don't trust those variables.

The person who last logged in on this terminal is ((that should be $LOGNAME
... but don't trust that):

last -1 `tty | sed 's/.dev.//'`| awk '{print $1}'

If you've done a su then your current userid is different from the person
who is logged in on the tty. Your current userid is (that should be $USER
... but don't trust that)

id | sed -e 's/).*//' -e 's/.*(//'

Combining all of that try adding this to the end of /etc/profile (and
something similar for /etc/.login):

    USER=`id | sed -e 's/).*//' -e 's/.*(//'`

    if [ "$USER" = "oracle" ]; then
        TTY=`tty | sed 's/.dev.//'
         LOGNAME=`last -1 $TTY | awk '{print $1}'`
        if [ "$USER" = "$LOGNAME" ]; then
                gripe, syslog it and exit PDQ.
        fi
    fi

A malicious user can if they time it just right ^C out of the /etc/profile
(/etc/.login) but this should catch most of them. All you're trying to do
is catch your DBA's breaking policy.

I hope this helps.

• Previous message: Myers, Mike: "RE: How to Restrict a user, not a root, Login to the Console?"
• Maybe in reply to: Rex Monty di Bona: "Re: How to Restrict a user, not a root, Login to the Console?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]