Restricting root access from console

Mike Iglesias iglesias at draco.acs.uci.edu
Fri Sep 28 06:00:36 AEST 1990 

In article <37952 at eerie.acsu.Buffalo.EDU> scarfone at sybil.cs.Buffalo.EDU (Steve Scarfone) writes:
>
>Is there a method of restricting root access from the console on a
>Decstation 2100?  Specifically I'm concerned with a user powering down
>a worstation and ^Cing the multi-user boot and having root access.
>
>Removing 'secure' from the console line in /etc/ttys doesn't seem to
>solve this particular problem.
>
>If it makes a difference, the 2100's are running Ultrix V3.1D (Rev.
>54).

At the end of this message, you'll find something I saved from comp.sys.dec
a while back about this subject.


Mike Iglesias
University of California, Irvine
Internet:    iglesias at draco.acs.uci.edu
BITNET:      iglesias at uci
uucp:        ...!ucbvax!ucivax!iglesias


Article 2438 of comp.sys.dec:
Xref: orion.oac.uci.edu comp.sys.dec:2438 comp.unix.ultrix:2880
Path: orion.oac.uci.edu!usc!cs.utexas.edu!mailrus!umich!vela!schemers
From: schemers at vela.acs.oakland.edu (Roland Schemers III)
Newsgroups: comp.sys.dec,comp.unix.ultrix
Subject: Re: Single user booting of DECStations and security
Summary: this works...
Keywords: ultrix 3.0 decstation 2100 3100 security
Message-ID: <597 at vela.acs.oakland.edu>
Date: 5 Apr 90 17:06:28 GMT
References: <1990Apr5.123703.2251 at maths.tcd.ie>
Reply-To: schemers at vela.acs.oakland.edu (Roland Schemers III)
Organization: Oakland University, Rochester MI
Lines: 74

Hello! The following is a script and a C program that implements the
security you are talking about. It stops someone from booting in single 
user mode as root. To boot single user, you have to give the root's
password. I modified to accept another password, just incase the 
passwd file is corrupt, or you forget the root password!!!

-------------------------------------------------------------------------

/* Compile it as :
    # cc -s -o /etc/chkpas chkpas.c
    # chmod 700 /etc/chkpas
    Author: Lucian S. Herscovici - DEC France
    Description:
    	Checks password validity for the given user (argument #1). If no
    argument is provided it defaults to ``root''
    	The return status is 1 if the password is valid 0 otherwise

    Modified: Roland Schemers, Oakland University
	      Add check for SPECIAL password other than root's.
	      This might be needed if passwd file becomes corrupt..
 */
#include <pwd.h>
#include <strings.h>
#include <stdio.h>               

#define SPECIAL	"secret"

main(argc,argv)
int argc;
char *argv[];
{
	static char prompt[80];
	static char pwkey[3];
	static char *user = "root";
	char *pp, *getpass(), *crypt();
	struct passwd *getpwnam(), *pw;

	if (argc>1) user = argv[1];
	sprintf(prompt,"Enter %s's password to continue : ",user);
	if ((pp=getpass(prompt)) == NULL) exit(0);
	if (strcmp(pp,SPECIAL)==0) exit(1);
	if ((pw=getpwnam(user)) == NULL) exit(0);
	strncpy(pwkey,pw->pw_passwd,2);
	pwkey[2]=0;
	if (strcmp(crypt(pp,pwkey),pw->pw_passwd)) exit(0);
	exit(1);
}

-------------------------------------------------

#	@(#).profile ULTRXI/ULTRIX WS
#	Author : L. Herscovici DEC France
#       Loop forever until a legal password is typed in
trap "" 2 0
while :
do
	if /etc/chkpas
	then
	echo 'INCORRECT ** REPEAT PLEASE**'
	else
	echo 'CORRECT : Entering command mode'
	break
	fi
done
echo 'erase ^?, kill ^U, intr ^C'
stty dec prterase new
PATH=/usr/ucb:/bin:/usr/bin:/etc:/usr/local:/usr/new:/usr/hosts:.
export PATH
trap 2 0

-- 
Roland J. Schemers III                              Systems Programmer   
schemers at vela.acs.oakland.edu (Ultrix)              Oakland University 
schemers at argo.acs.oakland.edu (VMS)                 Rochester, MI 48309-4401

More information about the Comp.unix.ultrix mailing list