Re: [SLUG] Limiting terminal access to root

From: Eben King (eben01@verizon.net)
Date: Tue Mar 18 2008 - 12:08:27 EST


On Wed, 12 Mar 2008, ronan wrote:

> Rich Morgan wrote:
>> Hey guys and gals, an interesting forum question was posted by a friend
>> of mine and I'd like to get your take on it: How do you limit access to
>> the command line to just root? That is to say, not allow a user account
>> to access a terminal at all.
>>
>>
> You could probably create a FAKE_SHELL script and put it into /etc/login.defs
> That script can check: if $USER != 'root' and the output of 'tty' is
> '/dev/tty?' (wildcard), then 'exit', else 'bash'. A non-console login will
> have '/dev/pts/#' instead of '/dev/tty#', so those will still be allowed.

|| not &&; AIUI neither is allowed.

> Instead of the FAKE_SHELL route, you might be able to put your check into
> /etc/bash_profile (as long all users have bash as their shell, as long as the
> user is not able to prevent their bash from executing that file????)

Well, I once got a shell on a supposedly no-shell system by running vi,
redefining SHELL from there, and executing :sh . So be careful.

-- 
-eben   QebWenE01R@vTerYizUonI.nOetP   http://royalty.mine.nu:81

"You're one of those condescending Unix computer users!" "Here's a nickel, kid. Get yourself a better computer" - Dilbert ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:21:18 EDT