Rescticting user access 1

[adamf]

FOR A NORMAL USER - ie NOT ROOT

How would I prevent telnet/rlogin access to user fred, but once logged on, another user could su to fred

A number of people could potentially use fred, so restricting access with IP addresses is impractical. Adam F
Solaris System Administrator

 

[olded]

Adam:

Place this in your /etc/profile. Now, user fred can only log in at the console. If LOGNAME isn't defined on your system, parse the output of the who or id commands. If you need help with that I can help you.

Regards,

Ed


#===============================================
# Deny application accounts direct login
# author: Jamie Adams
#===============================================
if [ "`/usr/bin/tty`" != "/dev/console" ]; then
if [ "$LOGNAME" = "fred" ]; then
#
# Attempt to set /dev/pts# permissions
#
/usr/bin/mesg -n 1>/dev/null 2>&1

#
# Result codes: 0 - receivable, 1 - not receivable, 2 - Error
#
if [ $? -eq 1 ]; then
echo
"================================================================= "
echo "Direct login as '$LOGNAME' is NOT AUTHORIZED. Use the su(1M)command."
echo
"================================================================= "
kill -9 $$
else
echo " "
echo "su to '$LOGNAME' is authorized."
echo " "
fi
fi
fi

 

[mrjazz]

Hi Adam,

I don't know if I have understood your question correctly, but you can "lock" an account by putting a *LK* in the password field of the fred entry in /etc/shadow. That means you cannot log on as user fred directly but as another user on the system you still can do su - fred. Then my proposal is to install the sudo package and configure which users can do sudo su - fred.

An example of a small /etc/sudoers (the sudo config file) could look like:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for the details on how to write a sudoers file.
#
# Host alias specification
Host_Alias YOUR_HOST=mysunserver

# User alias specification

### UNIX_ADMIN: Adam F
User_Alias UNIX_ADMIN=adamUserID

### FRED_USERS: Ian, Mary, Charles, Mark
User_Alias FRED_USERS=ianUserID,maryUserID,charlesUserID,markUserID

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

UNIX_ADMIN ALL=(ALL) /bin/ksh, /usr/local/bin/sudo, /usr/bin/su -

FRED_USERS YOUR_HOST=(root) NOPASSWD: /usr/bin/su - fred

Hope that is helpful.

mrjazz

 

[adamf]

olded - We do not want direct access as fred.

Users MUST NOT be able to log in as Fred, but be able to su to fred

mrjazz - I didn't manage to replicate a successful su to fred while the account was locked.

If it makes a difference, I am on a Solaris 8 box. Adam F
Solaris System Administrator

 

[mrjazz]

Hi Adam,

sorry, my first answer was probably a bit confusing: you have to install the sudo package first (you can get it from

http://www.sunfreeware.com)

and then it will work fine (if you configure it like in the above example)!

mrjazz

 

[adamf]

mrjazz - I'm with you!!

It wasn't the use of sudo that confused me.... I tried to su to fred from another non priveledged account, but that crapped out.

So obviously this solution will work using sudo.

So... What would you do if sudo was not installed on the box??


Adam F
Solaris System Administrator

 

[olded]

Hello:

I don't mean to elaborate on the obvious, but the script can still be used:

1) Change the "/dev/console" string to a non-existent terminal device, i.e. "/dev/nothing"

2) Remove the console check entirely:
if [ "`/usr/bin/tty`" != "/dev/console" ]; then

Do either one of the above and you can only su into "fred".

Ed

 

[adamf]

olded - Magic! Just the job. Many thanks. Adam F
Solaris System Administrator

 

[jad]

alternatively similar to how olded said, you can check to see if it is connected to by another person, do a 'who am i' (note the spaces) and check that they aren't 'fred'

if [ "x$user" == "x`who am i | awk '{print $1}'` ] ; then
    echo "Loggins disabled"
    logout
fi

PS. you ever get the feeling that you had a window open last night and were typing, but forgot to submit?