login permission

ust · 11-22-2005, 07:39 PM

If I want the root user can only login at the console , can't login at workstation , that mean the root can't login via telnet , rsh , ftp ... , what can I do ? thx

cyberjun · 11-22-2005, 08:26 PM

Hi,

I think /etc/securetty is the file you need. Following is the extact from that file:
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).

Checkout the man pages for securetty and login. However, this will not prevent "su" from giving out rootshells (after authetication ofcourse!!). If you want to prevent normal users from using "su", then I think the solutions to the problem vary. I use Gentoo and I have to add the normal user to group wheel for letting him use "su".
Hope this helps.

cheers,
--cyberjun

ust · 11-22-2005, 08:40 PM

Quote:

Originally posted by cyberjun
Hi,

I think /etc/securetty is the file you need. Following is the extact from that file:
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).

Checkout the man pages for securetty and login. However, this will not prevent "su" from giving out rootshells (after authetication ofcourse!!). If you want to prevent normal users from using "su", then I think the solutions to the problem vary. I use Gentoo and I have to add the normal user to group wheel for letting him use "su".
Hope this helps.

cheers,
--cyberjun

thx reply ,

my /etc/securetty has many lines as below, if I want to only let root user login at console , do I need to erase all lines excetp tty1 ? thx

vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
rsh
rlogin
rcp
ttyp0
tty0

cyberjun · 11-22-2005, 08:47 PM

Hi,
Yes I think that should be it. Maybe you can keep tty1 through tty6 and comment out the rest. You should try this only while keeping atleast one root session open otherwise you might end up accidentally locking yourself out.
Try and let me know.

cheers,
--cyberjun

ust · 11-23-2005, 03:18 AM

Quote:

Originally posted by cyberjun
Hi,
Yes I think that should be it. Maybe you can keep tty1 through tty6 and comment out the rest. You should try this only while keeping atleast one root session open otherwise you might end up accidentally locking yourself out.
Try and let me know.

cheers,
--cyberjun

thx r suggestion.

ust · 11-24-2005, 02:37 AM

Quote:

Originally posted by cyberjun
Hi,

I think /etc/securetty is the file you need. Following is the extact from that file:
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).

Checkout the man pages for securetty and login. However, this will not prevent "su" from giving out rootshells (after authetication ofcourse!!). If you want to prevent normal users from using "su", then I think the solutions to the problem vary. I use Gentoo and I have to add the normal user to group wheel for letting him use "su".
Hope this helps.

cheers,
--cyberjun

the reply , if I hv add the user to the wheel group , but still can't su to the root , could suggest what is the reason ? thx

cyberjun · 11-24-2005, 03:23 AM

what is ur distro? as I said, might depend on the distro you are using. I use Gentoo and for me its the wheel group. I can't tell which group will be the correct one for you?

cheers,
--cyberjun

ust · 11-24-2005, 03:28 AM

Quote:

Originally posted by cyberjun
what is ur distro? as I said, might depend on the distro you are using. I use Gentoo and for me its the wheel group. I can't tell which group will be the correct one for you?

cheers,
--cyberjun

I use Suse and RH .

thx

cyberjun · 11-24-2005, 06:06 AM

hey,
are you sure all is well with the /bin/su permissions ? Check the following link:

http://archives.neohapsis.com/archiv...4-q1/1349.html

cheers,
--cyberjun