cszrhodes@qut.edu.au (07/31/90)
I need to secure a terminal (under HP_UX) in such a way that, when a person
comes up and turns that terminal (and only that terminal) on, some application
program is automatically invoked (e.g. oracle). That is, I need to develop
some 'automatic terminal recognition' software that detects a particular
terminal line being activated, and then dedicates that terminal/line to a
user application.
The idea of securing the terminal is that I never want the the user to know
they are even on a UNIX host. I want to completely hide the OS, its
functions, commands & file systems from the user. From this 'secure
terminal' the system should be user tamper proof. Even if their application
program aborts they are not thrown back to the OS, just simply logged
off gracefully !!
e.g. 1. turning on terminal 12 in room M501 starts up 'patient result
entry' program (written in oracle);
2. turning on terminal 5 in room M501 starts up 'patient billing'
program (written also in oracle);
and so on....
My supervisor has suggested two approaches for tackling this problem:
a) put the user in a restricted shell if the user logs on from a particular
terminal, and run the application that is to be dedicated to that
terminal.
i.e. secure a terminal via a restricted shell
- I don't think this is the best solution even if it is possible, since
for a start it doesn't hide the unix login prompt from the user.
b) write a terminal driver program to do all this.
I believe that a terminal driver is the way to go.
I welcome discussion on the merits/demerits of each approach, and the
technical problems to be kept in mind when trying to develop this software.
Other solutions to this problem are also welcome.
Please e-mail your thoughts/advice/solutions to me direct.
I will post summaries of responses back to the net in due course.
regards,
tonyrpemurray@miavx1.acs.muohio.edu (Peter Murray) (08/06/90)
In article <13089.26b57b8d@qut.edu.au>, cszrhodes@qut.edu.au writes: > I need to secure a terminal (under HP_UX) in such a way that, when a person > comes up and turns that terminal (and only that terminal) on, some application > program is automatically invoked (e.g. oracle). That is, I need to develop > some 'automatic terminal recognition' software that detects a particular > terminal line being activated, and then dedicates that terminal/line to a > user application. We are looking at the same problem. One solution suggested was to put the name of the program in the "/etc/ttys" file for that particular terminal line. For instance... tty01 "/usr/local/lib" vt100 on modem # Start LIB software This would take the place of the getty that is started. While we haven't yet tried this yet, I can't see why it wouldn't work. Peter -- Peter Murray Neat UNIX Stunts #5: pemurray@miavx1.bitnet 215 Foxfire Dr #308 sh> drink <bottle; opener murrayp@apsvax.aps.muohio.edu Oxford, OH 45056 NeXT Mail: pmurray@next4.acs.muohio.edu
tif@doorstop.austin.ibm.com (Paul Chamberlain) (08/06/90)
In article <13089.26b57b8d@qut.edu.au> cszrhodes@qut.edu.au writes: >I need to secure a terminal (under HP_UX) in such a way that, when a person >comes up and turns that terminal (and only that terminal) on, some application >program is automatically invoked (e.g. oracle). Under Unix-like OS's, you can run any program you like in place of the login by modifying the /etc/inittab file. Under Xenix there is a somewhat obscure thing you can do in /etc/gettydefs to cause a program besides getty to run. Someone else posted something about /etc/ttys. I think the above info is correct. Paul Chamberlain | I do NOT represent IBM tif@doorstop, sc30661@ausvm6 512/838-7008 | ...!cs.utexas.edu!ibmaus!auschs!doorstop.austin.ibm.com!tif
guy@auspex.auspex.com (Guy Harris) (08/07/90)
>We are looking at the same problem. One solution suggested was to put >the name of the program in the "/etc/ttys" file for that particular >terminal line. If you have a 4.3BSD-style "/etc/ttys" file. HP-UX probably has "/etc/inittab" instead, which permits much the same thing to be done, albeit with a different syntax. S5's "init", not being as oriented towards tty ports as is 4.3BSD's, will not automatically pass the tty device name as an argument, as 4.3BSD's does; you have to pass it explicitly. In *both* cases, the program itself has to open the serial port (and almost certainly wants to open it for reading/writing as file descriptor 0 and then dup it to FDs 1 and 2), and put it in the appropriate mode. It also may want to find out what kind of terminal is on that port, and set the TERM environment variable appropriately.
pemurray@miavx1.acs.muohio.edu (Peter Murray) (08/07/90)
In article <2065.26bc4831@miavx1.acs.muohio.edu>, pemurray@miavx1.acs.muohio.edu (Peter Murray) writes: > In article <13089.26b57b8d@qut.edu.au>, cszrhodes@qut.edu.au writes: >> I need to secure a terminal (under HP_UX) in such a way that, when a person >> comes up and turns that terminal (and only that terminal) on, some application >> program is automatically invoked (e.g. oracle). That is, I need to develop >> some 'automatic terminal recognition' software that detects a particular >> terminal line being activated, and then dedicates that terminal/line to a >> user application. > > We are looking at the same problem. One solution suggested was to put > the name of the program in the "/etc/ttys" file for that particular > terminal line. For instance... > > tty01 "/usr/local/lib" vt100 on modem # Start LIB software This solution won't work. I think you need to have a front end "getty" to wait until a connection is made, and then exec the appropriate program. I'm trying to modify "getty" now to do this, but if anyone else has a solution, please speak up! Thanks. Peter -- Peter Murray Neat UNIX Stunts #1: pemurray@miavx1.bitnet 215 Foxfire Dr #308 csh> make love murrayp@apsvax.aps.muohio.edu Oxford, OH 45056 NeXT Mail: pmurray@next4.acs.muohio.edu
cudcv@warwick.ac.uk (Rob McMahon) (08/07/90)
In article <2080.26bda857@miavx1.acs.muohio.edu> pemurray@miavx1.acs.muohio.edu (Peter Murray) writes: >> One solution suggested was to put the name of the program in the >> "/etc/ttys" file for that particular terminal line. For instance... >> >> tty01 "/usr/local/lib" vt100 on modem # Start LIB software > >This solution won't work. I think you need to have a front end "getty" to >wait until a connection is made, and then exec the appropriate program. I'm >trying to modify "getty" now to do this, but if anyone else has a solution, >please speak up! Thanks. Assuming we're talking BSD here (that certainly looks like a 4.3 /etc/ttys file to me ...), can't you just use the `lo' gettytab entry for this: lo str /usr/bin/login program to exec when name obtained Cheers, Rob -- UUCP: ...!mcsun!ukc!warwick!cudcv PHONE: +44 203 523037 JANET: cudcv@uk.ac.warwick INET: cudcv@warwick.ac.uk Rob McMahon, Computing Services, Warwick University, Coventry CV4 7AL, England
guy@auspex.auspex.com (Guy Harris) (08/08/90)
>> tty01 "/usr/local/lib" vt100 on modem # Start LIB software > >This solution won't work. I think you need to have a front end "getty" >to wait until a connection is made, and then exec the appropriate >program. Or you can make the application in question do what "getty" does - after all, if that solution wouldn't work for *any* program, you'd have to have a front end "getty" to wait for the connection and then run "getty", "getty" being a program....
guy@auspex.auspex.com (Guy Harris) (08/08/90)
>Under Unix-like OS's, you can run any program you like in place of the login >by modifying the /etc/inittab file. Under Xenix there is a somewhat obscure >thing you can do in /etc/gettydefs to cause a program besides getty to run. > >Someone else posted something about /etc/ttys. I think the above info is >correct. The above info is correct for UNIX-like systems that have "/etc/inittab" files (assuming "the login" actually refers to "getty", which is normally what is run out of "/etc/inittab" for most ports). For UNIX-like systems with 4.3BSD-style "/etc/ttys" files (even if called "/etc/ttytab", as was done in SunOS for binary-compatibility reasons), the info posted about "/etc/ttys" is correct. For UNIX-like systems with "ttymon", such as System V Release 4, I think there's some other magic you can do to arrange that "ttymon" run your program when the port starts up.
pemurray@miavx1.acs.muohio.edu (Peter Murray) (08/08/90)
In article <1990Aug7.111611.434@warwick.ac.uk>, cudcv@warwick.ac.uk (Rob McMahon) writes: > Assuming we're talking BSD here (that certainly looks like a 4.3 /etc/ttys > file to me ...), can't you just use the `lo' gettytab entry for this: > > lo str /usr/bin/login program to exec when name obtained Yes, I'm dealing with BSD (Ultrix, to be exact). Well, this will work, except that getty will still ask for the username, and pass that as an argument to the program defined as "lo" above. I would just like users to connect to the tty and automatically be dumped in the application without "logging in". Guy Harris made an excellent suggestion...modify the source code to do the things that getty does. Unfortunately, this is not an option. What I've done is ported getty from a SysV source that I have (believe it or not, it works with only one change), and I'm now in the process of taking out the lines (the part where it asks for the user ID and other unneeded functions) that are not needed. Hopefully it'll work when I'm done messing around. Does anyone have a pointer to the source code for a BSD version of getty? Peter -- Peter Murray 215 Foxfire Dr #308, Oxford, Ohio 45056 ACS Consultant pemurray@miavx1.bitnet APSVAX/APSTWR Manager murrayp@apsvax.aps.muohio.edu Miami University NeXT Mail: pemurray@next4.acs.muohio.edu
bin@primate.wisc.edu (Brain in Neutral) (08/09/90)
From article <2103.26bf3e39@miavx1.acs.muohio.edu>, by pemurray@miavx1.acs.muohio.edu (Peter Murray): > Well, this will work, except that getty will still ask for the username, > and pass that as an argument to the program defined as "lo" above. I > would just like users to connect to the tty and automatically be dumped > in the application without "logging in". I had a similar problem, which I compromised on. Instead of fooling around and spending a lot of time, I used "lo" to start a different program, and modified "lm" (login message) to tell the user what username to type. They still have to type that name, but at least they know what. Not the greatest, but it worked and it was quick to do. Paul DuBois dubois@primate.wisc.edu
peter@ficc.ferranti.com (Peter da Silva) (08/09/90)
In article <3846@auspex.auspex.com>, guy@auspex.auspex.com (Guy Harris) writes: > For UNIX-like systems with "ttymon", such as System V Release 4, I think > there's some other magic you can do to arrange that "ttymon" run your > program when the port starts up. You're saying V.4 doesn't use inittab? Um, this is not good. The flexibility of inittab has been very helpful. I don't want to go back to kludging a login or getty front-end again. What else does V.3.2 have that V.4 hasn't? -- Peter da Silva. `-_-' +1 713 274 5180. 'U` <peter@ficc.ferranti.com>
goudreau@larrybud.rtp.dg.com (Bob Goudreau) (08/10/90)
In article <=D25VBE@xds13.ferranti.com>, peter@ficc.ferranti.com (Peter da Silva) writes: > In article <3846@auspex.auspex.com>, guy@auspex.auspex.com (Guy Harris) writes: > > For UNIX-like systems with "ttymon", such as System V Release 4, I think > > there's some other magic you can do to arrange that "ttymon" run your > > program when the port starts up. > > You're saying V.4 doesn't use inittab? Nope, he didn't say that. > Um, this is not good. The flexibility of inittab has been very helpful. I > don't want to go back to kludging a login or getty front-end again. Fear not; the V.4 init still understands inittab. All Guy was referring to was the advent of ttymon, a STREAMS-based tty port monitor that provides a more convenient way to deal with terminals than the old inittab method. ------------------------------------------------------------------------ Bob Goudreau +1 919 248 6231 Data General Corporation 62 Alexander Drive goudreau@dg-rtp.dg.com Research Triangle Park, NC 27709 ...!mcnc!rti!xyzzy!goudreau USA
guy@auspex.auspex.com (Guy Harris) (08/11/90)
>You're saying V.4 doesn't use inittab? I'm saying it doesn't necessarily run "getty" out of "inittab". >Um, this is not good. The flexibility of inittab has been very helpful. I >don't want to go back to kludging a login or getty front-end again. Um, this is not good. You're making some inferences that aren't justified based purely on what I said, and that aren't, in fact, correct.... "ttymon" will listen on a whole bunch of ports, and spin off a process when the port comes up. The process can run whatever program you want it to. You can also run "getty" out of "inittab", if you want to, or any other program. >What else does V.3.2 have that V.4 hasn't? A shared library mechanism that requires you to explicitly ask for the shared version of a library, for one thing.... (S5R4's, like the SunOS 4.x one from which it's derived, gives you the shared library by default if there is one.) Go buy the S5R4 documentation - or some subset thereof, the entire documentation set is rather expensive and only crazy completists like me buy it out of our own pockets.
guy@auspex.auspex.com (Guy Harris) (08/11/90)
>Fear not; the V.4 init still understands inittab. All Guy was >referring to was the advent of ttymon, a STREAMS-based tty port >monitor that provides a more convenient way to deal with terminals >than the old inittab method. And also gives you a few additional bells and whistles, such as autobauding (not the bit where you hit BREAK to get it to cycle through speeds, although "ttymon" does support that, but the bit where you type a character and, based on what the character looked like, "ttymon" guesses the speed of the line; same sort of thing as the 4.[23]BSD "getty" supports). It does permit you to run some program other than "login" on some port when it comes up.
gt0178a@prism.gatech.EDU (BURNS,JIM) (08/11/90)
in article <2103.26bf3e39@miavx1.acs.muohio.edu>, pemurray@miavx1.acs.muohio.edu (Peter Murray) says: > In article <1990Aug7.111611.434@warwick.ac.uk>, cudcv@warwick.ac.uk (Rob McMahon) writes: >> Assuming we're talking BSD here (that certainly looks like a 4.3 /etc/ttys >> file to me ...), can't you just use the `lo' gettytab entry for this: >> lo str /usr/bin/login program to exec when name obtained > Yes, I'm dealing with BSD (Ultrix, to be exact). Umm, the original poster (Tony Rhodes?) specifically asked for an HP-UX solution. In that case, altho' /etc/ttys exists, /etc/inittab would be the most appropriate solution since it avoids getty clones, and allows you to automatically respawn the app. [Oracle, etc.] if it aborts. One possible disadvantage is stty settings may not be correct if getty/login don't run first. (I've been bit by this on HP-UX.) However, since the original poster mentioned the need for several different Oracle apps., this could be handled by embedding the appropriate command tail option in a script that also runs stty (, and probably should also do something like 'trap "exit" 2 3' to prevent breaking out before Oracle starts - the inittab respawn will then restart it). At a minimum on HP-UX, you will need to do an 'stty icrnl ocrnl ixon'. One more point - as of HP-UX 7.0 (6.5?) if you need to do a set[gu]id on the script, the first line MUST be '#!/bin/ksh' (or what ever shell you want). -- BURNS,JIM Georgia Institute of Technology, Box 30178, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt0178a Internet: gt0178a@prism.gatech.edu
les@chinet.chi.il.us (Leslie Mikesell) (08/14/90)
In article <3868@auspex.auspex.com> guy@auspex.auspex.com (Guy Harris) writes: [ttymon] >And also gives you a few additional bells and whistles, such as >autobauding (not the bit where you hit BREAK to get it to cycle through >speeds, although "ttymon" does support that, but the bit where you type >a character and, based on what the character looked like, "ttymon" >guesses the speed of the line; same sort of thing as the 4.[23]BSD "getty" >supports). Does anything support the now-ubiquituous devices that announce the connection speed in ASCII before bringing up CD or does everyone still have to write their own code for this if they don't want the users to have to send something before getting the login prompt? Les Mikesell les@chinet.chi.il.us
pemurray@miavx1.acs.muohio.edu (Peter Murray) (08/17/90)
In article <1990Aug14.161816.3450@chinet.chi.il.us>, les@chinet.chi.il.us (Leslie Mikesell) writes: > Does anything support the now-ubiquituous devices that announce the connection > speed in ASCII before bringing up CD or does everyone still have to > write their own code for this if they don't want the users to have to > send something before getting the login prompt? I found the source code for AGETTY, an alternative getty for SYSV, at gatekeeper.dec.com (annonymous FTP) when I was working with this problem before. This program should do the trick for you, and it is (relatively) easy to port it to BSD, if you need to. Peter -- Peter Murray Neat UNIX Stunts #7: pemurray@miavx1.bitnet 215 Foxfire Dr #308 csh> %blow murrayp@apsvax.aps.muohio.edu Oxford, OH 45056 NeXT Mail: pmurray@next4.acs.muohio.edu
joe@robin.SanDiego.NCR.COM (Joe.Fernandez) (08/17/90)
In article <=D25VBE@xds13.ferranti.com> peter@ficc.ferranti.com (Peter da Silva) writes: >In article <3846@auspex.auspex.com>, guy@auspex.auspex.com (Guy Harris) writes: >> For UNIX-like systems with "ttymon", such as System V Release 4, I think >> there's some other magic you can do to arrange that "ttymon" run your >> program when the port starts up. > >You're saying V.4 doesn't use inittab? > >Um, this is not good. The flexibility of inittab has been very helpful. I >don't want to go back to kludging a login or getty front-end again. inittab still exists in SVR4. ttymon is a STREAMS-based port monitor that detects connection requests on the tty ports. It replaces the getty processes. SVR4 now has one process doing the work that lots of getty processes had to do in in pre-SVR4. A connection request is when one non-break char followed by a new line char is received on the port. When ttymon detects the connection request it executes the service process that has been configured for that port. One example of a service process is our old friend the login process. But you can create your own specific service process. This is unlike pre-SVR4 where the only service process that can be invoked from getty is 'login'. inittab starts the ttymon and any other port monitors (e.g., listen) that may exist on the system. Users can develop their own port monitors. --Hope this helps ============================================================================ Joe Fernandez NCR Corporation, MS# 9140 (619) 485-2186 16550 W. Bernardo Dr. uunet!ncrlnk!ncr-sd!iss-rb!robin!joe San Diego, CA 92127
rnews@qut.edu.au (09/14/90)
Thank you very much to all who responded to my request for advice on securing a terminal/line under hp-ux 7.0 I am just starting to sift through all the responses now. Should anyone wish a copy of the responses recieved, please e-mail me and I will send you a copy by return e-mail rather than clogging up the network. Many thanks to these people. Apologies if I have forgotten someone. From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au From: rnews@qut.edu.au regards Tony Rhodes, Information Security Research Center Queensland University of Technology Brisbane, Queensland, AUSTRALIA.