disable remote root xterms

[bpinos]

Okay I have a tricky problem. I want to disable root's ability to send send xterms to remote display's.

I already have the settings set correctly to disallow root except on console in /etc/default/login, and I have set in sshd to use login.

So lets say I login to a server as root, and then run:

xterm -d 100.100.100.105:0.0

If I have some sort of xwindows client like exceed, or reflections running on 100.100.100.105, I will get an xterm window with root access on that computer. This shows in logs and everywhere like someone logged in directly as root, therefore there is no audit trail.

If I look at the output from a who statement while a root xterm is open, this is what I see:

root pts/5 Apr 10 13:41 (100.100.100.105)

So I figure I should be able to FORCE root to ONLY use the console and not pts/5. This should give me the ability to still ssh as myself, and then su to root, but not push root sessions to remote displays. That way there is ALWAYS an audit trail of which user's su'ed to root and what they did.

So how do I make that or something similar work??

Any help would be great!

Thanks!

Bryan

 

[bi]

Do you have sulog enabled in the /etc/default/su file? That would give you a record of users who su'd to root, but there is no record what they did as root (except through root's history file, if there is one).

It seems to me a more secure way is to use sudo, which gives excellent logging: it tells you who is using sudo, what command they are executing and from which directory. Sudo is shareware that allows you to give users various levels of priveleges, from full to just a few commands.

Restrict who has root's password, and implement sudo is my suggestion.

 

[julianbarnett]

There are plenty of ways of preventing dtlogin and xterm when initiated from the client (xhosts, xauth, /etc/dt/config/Xsession.d etc.) However once you are root there is little to prevent you doing what you like. You could write a dummy xterm script in a library assigned at the top of roots' $PATH which checks for $USER=root and aborts if it is otherwise, calls the real xterm. However, you can still get round this by calling /usr/openwin/bin/xterm.

Alternatively if you are on solaris 8 or later you may be able to use Role Based Access (RBAC) to change the access permissions for xterm to disallow it's use by root.

 

[bpinos]

Letme give a few more details to clarify. In my environment we use tivoli. So any user who is a tivoli admin, but not root has the ability to launch programs as root on any system with a tivoli endpoint. So it is easy for them to launch xterm remotely through tivoli and send the display to a win2k box running reflections or exceed.

So I have been thinking on this one, and I thought that maybe I could use the profile to check to see if it is a root shell running on an xterm using a pts/* port instead of a console or su'ing from an ssh shell. Then if its an xterm, I will simply force the shell to exit.

I haven't had time to work on this yet, but I think that I could put it in the profile to determine that info. In order to force xterm to source the profile, you have to use xterm -ls. So I was thinking that I could edit the master profile (/etc/profile) and alias xterm to xterm -ls.

These are my thoughts... I am just wondering if anyone had any better or maybe simpler ideas...

Thanx!

Bryan