Re: How to Restrict a user, not a root, Login to the Console?

From: Reg Quinton (reggers_at_ist.uwaterloo.ca)
Date: 07/30/04

  • Next message: Charles Heselton: "Re: syslog logging"
    To: <cristina.villegas@itece.es>, <focus-sun@securityfocus.com>
    Date: Fri, 30 Jul 2004 10:58:32 -0400
    
    

    This is a bit of a quick and dirty hack but I've used it before to control
    logins and it works well enough. I'll give you the strategy and some rough
    code for you to polish....

    Assuming that you have things like rsh and ftp disabled (they are awfully
    hard to control) *and* that the only way for the target user to get into
    the system is through a login session (from getty, SSH, telnet, rlogin, or
    etc) *and* that you only allow the usual shells as login shells then
    configure /etc/profile (and /etc/.login) to detect login to the restricted
    account and make sure the user is not the user logged in on the tty.

    You'd think that you'd only run /etc/profile (/etc/.login) at login ...
    don't trust that.

    You'd think that $USER and $LOGNAME would be enough to test... you need to
    be more robust. Don't trust those variables.

    The person who last logged in on this terminal is ((that should be $LOGNAME
    ... but don't trust that):

    last -1 `tty | sed 's/.dev.//'`| awk '{print $1}'

    If you've done a su then your current userid is different from the person
    who is logged in on the tty. Your current userid is (that should be $USER
    ... but don't trust that)

    id | sed -e 's/).*//' -e 's/.*(//'

    Combining all of that try adding this to the end of /etc/profile (and
    something similar for /etc/.login):

        USER=`id | sed -e 's/).*//' -e 's/.*(//'`

        if [ "$USER" = "oracle" ]; then
            TTY=`tty | sed 's/.dev.//'
             LOGNAME=`last -1 $TTY | awk '{print $1}'`
            if [ "$USER" = "$LOGNAME" ]; then
                    gripe, syslog it and exit PDQ.
            fi
        fi

    A malicious user can if they time it just right ^C out of the /etc/profile
    (/etc/.login) but this should catch most of them. All you're trying to do
    is catch your DBA's breaking policy.

    I hope this helps.


  • Next message: Charles Heselton: "Re: syslog logging"