HI,

I have ask some hardcore Linux users about limiting the shell, although some finds it interesting, other just laugh's at me and STARES at me like a Junior High Student.

Well anyway, Does anyone knows how I can Limit my Fedora core 2 box to a single shell. Becuase I figured, If my box will allow only 1 shell and the only shell is being used by the localhost. An intruder will have a difficult time in getting access.

Kindly help!

__________________________________________
man is our friend my friend!

I think you're jumping ahead to the solution stage without really understanding (or at least explaining) the problem you are trying to solve.

Linux has something called "single user mode" which does what you say, but almost certainly isn't what you want. If you want to prevent anyone logging into the box over the network, there are better ways to do it.

If you can explain what you are trying to achieve, I think more help may be forthcoming.

thanks for your reply.

I understand the single user mode (runlevel1). but I want only 1 or 2 bash shells only. Because my THEORY (don't know if it is STUPID or what) is ;

If there is only 1 bash shell available and it is already being used by the local administrator (meaning no more SHELLS available). it would be very difficult to hack that box. Because even if the Hacker has the ROOT password. It is useless because he will never get a shell.

I hope you understand what I'm trying to say.

Again, thank you for you kind reply..

_______________________________________
man is our friend my friend!

Yes, you have a point. If there is only one shell, nobody else would be able to use the computer while you're on it. But that also means that the 'mail' user isnt going to be able to function, or the 'pop' user. 'mysql' wont be able to log in. 'http' wont be able to serve requests. etc. and what happens when your x-server freezes and you want to ctrl+alt+f2 so you can login and kill it. Your login will be denied. Then you have to reboot

Linux is a multiuser envirnment, I think that is one of the things many people find most appealing about it.

However, your idea does have some practical uses in cetain scenarios. If somebody wanted to use a linux box as a web browsing kiosk, without serving anything else that would requre a user, it would make sense to block it to only one user.

It's an interesting idea, but I can imagine it would be hard to implement it (I'm assuming it would have to be written into the kernel), and for the few people that would use it, I dont think it would be worth the effort.

I do understand. It is an interesting idea, but if your objective is to secure a computer there are better ways to do it.

For example :
If you want to allow people to log on remotely but only have one person at a time, part of the logon script could check the number of people currently logged on and kill the session if there was already someone there.

You could also have something where the login script creates an /etc/nologin file to prevent anyone else logging in; then logging out removes it again (but you'd need to login as root at the console if the box crashed or the session was killed uncleanly).

If you only want a local administrator to log on, why not just have no remote logon methods (e.g. don't run sshd or telnetd or, even simpler, just put ALL:ALL in /etc/tcp.deny and leave tcp.allow empty.

Thank you for all your replies.

__________________________________-

You can probably just remove most of the lines in /etc/securetty, which is a list of the terminals on which root can login.