scarfone@sybil.cs.Buffalo.EDU (Steve Scarfone) (09/28/90)
Is there a method of restricting root access from the console on a Decstation 2100? Specifically I'm concerned with a user powering down a worstation and ^Cing the multi-user boot and having root access. Removing 'secure' from the console line in /etc/ttys doesn't seem to solve this particular problem. If it makes a difference, the 2100's are running Ultrix V3.1D (Rev. 54). Thanks for any help! -- Steve Scarfone "You keep saying that word. scarfone@cs.buffalo.edu I don't think it means what you think it means." scarfone@sunybcs uunet!cs.buffalo.edu!scarfone -The Princess Bride
iglesias@draco.acs.uci.edu (Mike Iglesias) (09/28/90)
In article <37952@eerie.acsu.Buffalo.EDU> scarfone@sybil.cs.Buffalo.EDU (Steve Scarfone) writes: > >Is there a method of restricting root access from the console on a >Decstation 2100? Specifically I'm concerned with a user powering down >a worstation and ^Cing the multi-user boot and having root access. > >Removing 'secure' from the console line in /etc/ttys doesn't seem to >solve this particular problem. > >If it makes a difference, the 2100's are running Ultrix V3.1D (Rev. >54). At the end of this message, you'll find something I saved from comp.sys.dec a while back about this subject. Mike Iglesias University of California, Irvine Internet: iglesias@draco.acs.uci.edu BITNET: iglesias@uci uucp: ...!ucbvax!ucivax!iglesias Article 2438 of comp.sys.dec: Xref: orion.oac.uci.edu comp.sys.dec:2438 comp.unix.ultrix:2880 Path: orion.oac.uci.edu!usc!cs.utexas.edu!mailrus!umich!vela!schemers From: schemers@vela.acs.oakland.edu (Roland Schemers III) Newsgroups: comp.sys.dec,comp.unix.ultrix Subject: Re: Single user booting of DECStations and security Summary: this works... Keywords: ultrix 3.0 decstation 2100 3100 security Message-ID: <597@vela.acs.oakland.edu> Date: 5 Apr 90 17:06:28 GMT References: <1990Apr5.123703.2251@maths.tcd.ie> Reply-To: schemers@vela.acs.oakland.edu (Roland Schemers III) Organization: Oakland University, Rochester MI Lines: 74 Hello! The following is a script and a C program that implements the security you are talking about. It stops someone from booting in single user mode as root. To boot single user, you have to give the root's password. I modified to accept another password, just incase the passwd file is corrupt, or you forget the root password!!! ------------------------------------------------------------------------- /* Compile it as : # cc -s -o /etc/chkpas chkpas.c # chmod 700 /etc/chkpas Author: Lucian S. Herscovici - DEC France Description: Checks password validity for the given user (argument #1). If no argument is provided it defaults to ``root'' The return status is 1 if the password is valid 0 otherwise Modified: Roland Schemers, Oakland University Add check for SPECIAL password other than root's. This might be needed if passwd file becomes corrupt.. */ #include <pwd.h> #include <strings.h> #include <stdio.h> #define SPECIAL "secret" main(argc,argv) int argc; char *argv[]; { static char prompt[80]; static char pwkey[3]; static char *user = "root"; char *pp, *getpass(), *crypt(); struct passwd *getpwnam(), *pw; if (argc>1) user = argv[1]; sprintf(prompt,"Enter %s's password to continue : ",user); if ((pp=getpass(prompt)) == NULL) exit(0); if (strcmp(pp,SPECIAL)==0) exit(1); if ((pw=getpwnam(user)) == NULL) exit(0); strncpy(pwkey,pw->pw_passwd,2); pwkey[2]=0; if (strcmp(crypt(pp,pwkey),pw->pw_passwd)) exit(0); exit(1); } ------------------------------------------------- # @(#).profile ULTRXI/ULTRIX WS # Author : L. Herscovici DEC France # Loop forever until a legal password is typed in trap "" 2 0 while : do if /etc/chkpas then echo 'INCORRECT ** REPEAT PLEASE**' else echo 'CORRECT : Entering command mode' break fi done echo 'erase ^?, kill ^U, intr ^C' stty dec prterase new PATH=/usr/ucb:/bin:/usr/bin:/etc:/usr/local:/usr/new:/usr/hosts:. export PATH trap 2 0 -- Roland J. Schemers III Systems Programmer schemers@vela.acs.oakland.edu (Ultrix) Oakland University schemers@argo.acs.oakland.edu (VMS) Rochester, MI 48309-4401