LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-08-2007, 04:39 AM   #1
nitinatindore
Member
 
Registered: Dec 2004
Location: India
Distribution: Mandrake, Mandriva, PclinuxOS
Posts: 114

Rep: Reputation: 15
Question Disabling direct console login: forcing su


I wish to disallow direct console logon (on Linux, of course) to several previlige accounts, but instead want them to login as normal users and then do a su/sudo to login to a high privilege account.

Note: I do not wish to disable only root login which can be easily done via /etc/securetty

I did some research on Internet and found the following code snippet useful, but I am sure there could be a smarter way to do it.

/*
Ensure that the user's .profile/.bash_profile is only writable by root and readable by others and then add the following at the top:

### script begin ###
trap "" 1 2 3

REALUSER=`/usr/bin/who am i | /usr/bin/cut -f1 -d" "`
SUUSER=`id -un`

if [ "$REALUSER" = "$SUUSER" ]
then
logout
fi
### script end #####
*/
 
Old 05-08-2007, 04:47 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
at a basic level use /etc/security/access.conf
 
Old 05-08-2007, 04:54 AM   #3
nitinatindore
Member
 
Registered: Dec 2004
Location: India
Distribution: Mandrake, Mandriva, PclinuxOS
Posts: 114

Original Poster
Rep: Reputation: 15
Thumbs up

Dear Mod

Thanks for the info but please correct me if I am wrong. Is /etc/security/access.conf standard utility present on all *nix boxes or is it some kind of additional package.

A quick Googling [[http://www.rhce2b.com/clublinux/RHCE-15.shtml]] revealed that it has to be used in conjunction with PAM. I think I have quite old servers, which might not support PAM, but I am not too sure.
 
Old 05-08-2007, 05:02 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
totally standard file really.
 
Old 05-09-2007, 01:10 AM   #5
nitinatindore
Member
 
Registered: Dec 2004
Location: India
Distribution: Mandrake, Mandriva, PclinuxOS
Posts: 114

Original Poster
Rep: Reputation: 15
Thanks Chris

Problem Solved!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting DSL for autologin and forcing a better resolution on console stormrider_may DamnSmallLinux 4 02-06-2006 04:42 AM
Apache/php4 - disabling direct viewing of text files Paiway Linux - Networking 1 02-21-2005 11:09 PM
SSH Login - Forcing keys! jackster Linux - Security 5 01-25-2005 09:09 AM
Forcing password change at first login vsp_123 Linux - Security 6 01-27-2004 12:57 PM
Disabling console commands? Kage Linux - Newbie 4 02-09-2002 01:38 PM


All times are GMT -5. The time now is 07:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration