galvin-peter@cs.yale.edu (Peter Baer Galvin) (12/04/88)
It depends on the version of SunOS you are running. Under 4.0 official support is provided: in the /etc/ttytab file of the client, make sure the console is NOT set secure. touch the file /etc/securetty A root password will then be needed before a single user boot is allowed. Failure to give the root password will result in a multi-user boot. On "lesser" versions, you can put the command login root as the first line of the file /.profile but only if root uses the csh shell by default. Booting single user runs a bourne shell, in which case the .profile file is read and a root login required. Note that this isn't as secure as the 4.0 method. Also note that if the root password is not provided, a multi-user boot is done WITHOUT an fsck being done on the clients disks - which is somewhat undesirable. As an aside, is should be noted that no matter what, a system isn't secure if it's console isn't. Even under SunOS 4.0 it is possible to break into a system (even with security options set) if a system breaker has access to the workstation console. I know of one method in particular that a coworker here discovered. I'll try to get him to post the method to the newly restarted security mailing list, since there's a fix to at least make the job harder. --Peter Peter Baer Galvin (203)432-1254 Senior Systems Programmer, Yale Univ. C.S. galvin-peter@cs.yale.edu 51 Prospect St, P.O.Box 2158, Yale Station ucbvax!decvax!yale!galvin-peter New Haven, Ct 06457 galvin-peter@yalecs.bitnet
dieter@titan.nmt.edu (12/09/88)
> How can I set the system to ask for the root passwd, when booting single > user ? % cat /.profile PATH=/usr/local:/etc:/usr/etc:/usr/ucb:/usr/bin:/bin:. export PATH TERM trap exit 2 3 15 login root Works for us pretty well. You might want to remove the "." from the PATH=, though. Dieter -- Welcome to the island. You are number six. dieter%nmt@relay.cs.net dieter@jupiter.nmt.edu
13501RP@MSU.BITNET (Raman Padmanabhan) (12/10/88)
Include the following line in .profile login root
henkbo@uunet.uu.net (Henk Boetzkes) (12/12/88)
Danielle Heinzer: >... > How can I set the system to ask for the root passwd, when booting single > user ? It's simple, by (mis)using your /.profile !!! Let's see if we can make one ? # stty -echo kill u intr u susp u dsusp u quit u stop u PATH=/etc:/usr/etc:/usr/ucb:/bin:/usr/bin:. echo "" echo -n " Enter password " read ans echo "" if [ .$ans != ".tulip" ] then echo "";echo " ILLEGAL USER" /etc/halt else stty echo kill \^u intr \^c susp \^z dsusp \^y stop \^s quit \^\\ stty dec export TERM echo "password o.k." fi So, if we now make an 'chmod 500 /.profile' and we shut the client down and we do an boot -s, we have to use the password "tulip" to perform an full single-user boot. Henk.A.P.A. Boetzkes # E.D.P. N.P.B. Consumer Electronics # PO. BOX 218 5600 MD Eindhoven, The Netherlands # Building SK4, Room 416 +31 40 735983 # !uunet! -> mcvax!philmds!philce!henkbo
dave@jupiter.nmt.edu (Dave Becker) (12/13/88)
We've been using the following technique for several years without any problems, but I don't guarantee it: put the following in the file "/.profile": trap exit 2 3 15 PATH=/etc:/usr/bin:/bin:/usr/ucb login root This causes the system to prompt for the root password when booting single-user, and, if it doesn't get it, it immediately boots multi-user instead. **This assumes that root's shell is "/bin/csh"!!**. If it's /bin/sh, you won't like this "solution". The login will time out in 60 seconds, so don't be slow if you mean to boot single user. Of course, SunOS 4.0 can be configured to require the root password anyway, so this technique is already pretty dated. dave -- David C. Becker, "Sys Prog/Anal" ``What are our schools for if not New Mexico Tech Computer Center indoctrination against Communism?'' Socorro, New Mexico 87801 [505] 835-5662 --- Richard M. Nixon Internet: dave@nmt.edu CSNET: dave@nmtsun UUCP: ...!nmtsun!dave
wwtz@uunet.uu.net (Wolfgang Wetz) (12/16/88)
galvin-peter@cs.yale.edu (Peter Baer Galvin) writes: >On "lesser" versions, you can put the command > > login root > >as the first line of the file /.profile but only if root uses the csh >shell by default.... WARNING: Do not do this: if you let '/bin/login root' just timeout you are in single user mode (at least that is the case under SunOS 3.4 and 3.5). Wolfgang Wetz, Systems Administrator, Scientific Computing Centre c/o CIBA-GEIGY AG, R-1045.330, CH-4002 Basel, Switzerland Internet: wwtz%cgch.uucp@uunet.uu.net UUCP: wwtz@cgch.uucp Phone: (+41) 61 697 54 25 BITNET: wwtz%cgch.uucp@cernvax.bitnet Fax: (+41) 61 697 32 88
mlandau@bbn.com (Matt Landau) (12/17/88)
For what it's worth, here's what we use as root's /.profile on some of our
SunOS 3.X systems, to keep random people from being able to boot single
user.
/Matt
--- CUT HERE ---
trap "" 1 2
# Now that that's out of the way...
# This is the .profile for root. It will require the root password before
# you get a shell running singleuser.
# This expects that you have an entry for "nobody" in your /etc/passwd file.
# It should look like:
# nobody:*:-2:-2::/tmp:
PATH=/:/bin:/etc:/usr/ucb:/usr/bin; export PATH
if mount | grep -s /usr
then
MULTIUSER=YES
else
MULTIUSER=NO
fi
case $MULTIUSER in
NO) # Singleuser: require a password if we haven't already
cat /dev/null >.rootNG
while [ -f .rootNG ]
do
su nobody -c 'su root -c "rm .rootNG"'
done
;;
esac
trap 1 2 # We can put these back now
THISHOST=`hostname`
stty new erase \^h kill \^u intr \^c ff0 nl0 bs1 tabs decctlq ctlecho
PS1="${THISHOST}-> " ; PS2='Continued -->> ' ; export PS1 PS2
case $MULTIUSER in
YES) TERM=unknown
until [ "$TERM" != unknown ]
do
eval `tset -s \?vt100`
done
esackarl@cis.ohio-state.edu (Karl Kleinpaste) (12/17/88)
dieter@titan.nmt.edu writes: > How can I set the system to ask for the root passwd, when booting single > user ? % cat /.profile PATH=/usr/local:/etc:/usr/etc:/usr/ucb:/usr/bin:/bin:. export PATH TERM trap exit 2 3 15 login root There is a very small/short window of vulnerability, while sh is starting up and evaluating the PATH= and export lines. It is very, *very* small and hence in practice is no problem. But the hole is still there in this example. Give a determined abuser a few hours and he may succeed. We accomplish approximately the same thing with a program /bin/singleuser which protects itself from all `reasonable' signals and then demands the root password, with an N-minute timeout (don't remember N just now). It's the 1st line in /.profile. --Karl
mhyman@sun.com (Marco S. Hyman) (12/22/88)
A method better than a vinilla "login root" in /.profile is: trap "" 1 2 3 15 while true; do /bin/login root done This assumes the default Bourne Shell is used. --Marc ..... Marco S. Hyman UUCP: ...!sun!sfsun!hsfmsh!mhyman Domain: sfsun!hsfmsh!mhyman@sun.com
aco@TAURUS.BITNET (12/22/88)
Here is another solution to the singleuser problem. It assumes root has
/bin/csh as its shell in /etc/passwd. Instead of using 'login root' a
small program, 'secure', (described below) is used. Secure doesn't time
out as login does, thus no single user boot is possible unless you know
root's password (or somebody discovers another hole...)
Note that as a 'side effect', root's password will be asked for on the
console before going into singleuser mode (when performing shutdown, for
instance).
The following should be inserted to /.profile
____________________ cut here
stty intr u susp u dsusp u quit u
echo ""
if /etc/secure
then
stty intr \^c susp \^z dsusp \^y quit \^\\
echo single user mode
else
echo bad password
/etc/halt
fi
____________________ cut here
The following is the source of /etc/secure. The compiled program must be
placed somewhere in the root file system (I used /etc). (Don't forget to
change its name in /.profile if you place it in a different location).
The program asks for the root password and compares it to the root
password in /etc/passwd (YP is not used in this case).
____________________ cut here
#include <pwd.h>
#include <string.h>
#include <stdio.h>
char *p, *n;
char *crypt(), *getpass();
struct passwd *pwd, *getpwnam();
main() {
if ((pwd = getpwnam("root")) == NULL) exit(1);
p = getpass("Password:");
n = crypt(p, pwd->pw_passwd);
if (strcmp(n, pwd->pw_passwd)) exit(1);
exit(0);
}
____________________ cut here
Beware: if /etc/secure is not present - you cannot perform singleuser
boot. Multiuser boot should work fine.
Ariel Cohen
Tel-Aviv university
Math school, CS-LABgreg@lbl-csam.arpa (Greg Ward) (12/25/88)
Since using /bin/login in /.profile has numerous problems already
mentioned, such as timing out if not execed and booting mulituser without
repairing the filesystem otherwise, I have written a simple C program to
block until the user enters the correct password. I have installed it as
/etc/checkpass under 3.5, and the -l option tells the program to loop
until the correct password is entered. By default, it simply returns a
status indicating whether the password entered was correct. I don't know
about using this with yellow pages, since it reads /etc/passwd to do the
check.
First, compile the program:
cc -O -n -s checkpass.c -o /etc/checkpass
Then, insert this line (early) in /.profile:
/etc/checkpass -l root
When the machine boots singleuser, the program will set raw mode, block
signals, and prompt the user for the root password. If it is entered
incorrectly, it simply repeats the prompt. Note that this has the same
benefits and hazards of the 4.0 security lockout, namely an inability to
fix a busted or forgotton root password without booting from tape!
This software is public domain and as is...
------------------------ CUT HERE -----------------------------
/*
* checkpass.c - Verify password.
*
* 4/20/88
* Greg Ward
*/
#include <stdio.h>
#include <signal.h>
#include <pwd.h>
extern char *crypt(), *strcat(), *getpass();
main(argc, argv)
int argc;
char *argv[];
{
static char prompt[64] = "Password for ";
int loop = 0;
struct passwd *pwd;
int i;
/* block signals */
sigsetmask(~0);
/* get arguments */
for (i = 1; i < argc; i++)
if (!strcmp(argv[i], "-l"))
loop++;
else
break;
if (i != argc-1)
usage(argv[0]);
pwd = getpwnam(argv[i]); /* get password entry */
if (pwd == NULL) { /* bad user name */
fputs(argv[i], stderr);
fputs(": unknown login\n", stderr);
exit(1);
}
strcat(prompt, pwd->pw_name);
strcat(prompt, ":");
do /* check password */
if (!strcmp(pwd->pw_passwd, crypt(getpass(prompt), pwd->pw_passwd)))
exit(0);
while (loop);
exit(2); /* fail */
}
usage(progname)
char *progname;
{
fputs("Usage: ", stderr);
fputs(progname, stderr);
fputs(" [-l] logname\n", stderr);
exit(1);
}