*BSD News Article 94826


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in1.uu.net!128.138.243.15!csnews!boulder!rintintin.Colorado.EDU!fcrary
From: fcrary@rintintin.Colorado.EDU (Frank Crary)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Howto restrict login at the console?
Date: 1 May 1997 00:47:04 GMT
Organization: University of Colorado, Boulder
Lines: 43
Message-ID: <5k8p68$iad@lace.colorado.edu>
References: <3364F170.4DF6BC09@indigo.ie> <5k761s$p26@ui-gate.utell.co.uk>
NNTP-Posting-Host: rintintin.colorado.edu
NNTP-Posting-User: fcrary
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:40055

In article <5k761s$p26@ui-gate.utell.co.uk>,
Brian Somers <brian@awfulhak.org, brian@utell.co.uk> wrote:
>> I was just wondering if there was any way of restricting login at the
>> console. What I'm after is the inverse(so to speak) of putting insecure
>> on a line in /etc/ttys. That is, I only want root to login at the
>> console. The machine isn't physically secure at the moment and I don't
>> want people starting X sessions etc. I can login as root and lock the
>> screen but I wouldn't trust people not to power cycle the machine when I
>> wasn't around.

>Something like

>case .`tty 2>/dev/null` in
>    /dev/ttyv?)  echo "Go away, you're not god !" >&2; exit 1;;
>esac

>in /etc/profile should suffice (assuming everyone at your site
>uses [ba]sh).

I'm not sure when or if /etc/profile is sourced, but I just tried it 
out and it is not called when I open an xterm with a tcsh shell. That
could be a matter of the shell, or of opening an xterm rather than
an initial login, but I think it's the shell. Since changing shells
is something any user can do, this doesn't strike me as much of a
protection. (Unless [ba]sh were the only shells available.) 

However, as someone else has pointed out, this is a pointless
exercise. PCs inherently have a massive physical security problem.
Anyone with physical access to the machine can do whatever he
wants. During a reboot, with a standard FreeBSD, you can bypass
these protections by selecting single user mode. Even if you
changed this, all someone has to do is put in a floppy disk of his
choice and the machine would boot from that, rather than the hard
drive. (A feature which I find convenient, since I don't need to
have a password on a machine running Windows NT to get rid of Windows
and replace it with FreeBSD... And, no, I don't go around sneaking
into people's offices and changing their operating system. I just
occasionally install FreeBSD on previously used machines, and it's
not convenient to run around, find the former sysadmin and get him to
give me a password on NT.)

                                                          Frank Crary
                                                          CU Boulder