Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in1.uu.net!128.138.243.15!csnews!boulder!rintintin.Colorado.EDU!fcrary From: fcrary@rintintin.Colorado.EDU (Frank Crary) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Howto restrict login at the console? Date: 1 May 1997 00:47:04 GMT Organization: University of Colorado, Boulder Lines: 43 Message-ID: <5k8p68$iad@lace.colorado.edu> References: <3364F170.4DF6BC09@indigo.ie> <5k761s$p26@ui-gate.utell.co.uk> NNTP-Posting-Host: rintintin.colorado.edu NNTP-Posting-User: fcrary Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:40055 In article <5k761s$p26@ui-gate.utell.co.uk>, Brian Somers <brian@awfulhak.org, brian@utell.co.uk> wrote: >> I was just wondering if there was any way of restricting login at the >> console. What I'm after is the inverse(so to speak) of putting insecure >> on a line in /etc/ttys. That is, I only want root to login at the >> console. The machine isn't physically secure at the moment and I don't >> want people starting X sessions etc. I can login as root and lock the >> screen but I wouldn't trust people not to power cycle the machine when I >> wasn't around. >Something like >case .`tty 2>/dev/null` in > /dev/ttyv?) echo "Go away, you're not god !" >&2; exit 1;; >esac >in /etc/profile should suffice (assuming everyone at your site >uses [ba]sh). I'm not sure when or if /etc/profile is sourced, but I just tried it out and it is not called when I open an xterm with a tcsh shell. That could be a matter of the shell, or of opening an xterm rather than an initial login, but I think it's the shell. Since changing shells is something any user can do, this doesn't strike me as much of a protection. (Unless [ba]sh were the only shells available.) However, as someone else has pointed out, this is a pointless exercise. PCs inherently have a massive physical security problem. Anyone with physical access to the machine can do whatever he wants. During a reboot, with a standard FreeBSD, you can bypass these protections by selecting single user mode. Even if you changed this, all someone has to do is put in a floppy disk of his choice and the machine would boot from that, rather than the hard drive. (A feature which I find convenient, since I don't need to have a password on a machine running Windows NT to get rid of Windows and replace it with FreeBSD... And, no, I don't go around sneaking into people's offices and changing their operating system. I just occasionally install FreeBSD on previously used machines, and it's not convenient to run around, find the former sysadmin and get him to give me a password on NT.) Frank Crary CU Boulder