OK... this is the last time I'm posting anything regarding this subject. I
don't know why I didn't get this many responses in my 1st message. Anyway,
it still seems that some people are having trouble understanding what I wanted.
Here it is in short:
The way DU works, you can only log in as root from the console, or by
logging in as yourself and then 'su'-ing to root. This works fine, and I
don't want to change it.
I just wanted to make it so that our DBA account acted the same way (i.e.
you could ONLY 'su' to it, and not log directly into it, even from the console.
Well... The best, and most ingenious solution, came from Spider Boardman:
>Try writing a simple program, such as the attached, to use as
>that account's login shell. This checks that the LUID is not the
>same as the target RUID, as is the case for su. For a login,
>they'll be the same. This does preclude rsh as well as login, of
>course. It'll need to be setuid 0 to get the LUID and to make the
>audit report.
>
>--
>Spider Boardman (at home)
>The management (my cats) made me say this. http://www.wp.com/spider/
>PGP public key fingerprint = 96 72 D2 C6 E0 92 32 89 F6 B2 C2 A0 1C AB 1F DC
>
>/* compile with cc -std, and link with -laud */
>#include <sys/syscall.h>
>#include <types.h>
>#include <sys/security.h>
>#include <stdio.h>
>#include <sys/audit.h>
>
>int
>main(int argc, char **argv)
>{
> uid_t luid;
>
> luid = syscall(SYS_security, SEC_GETLUID, 0L, 0L, 0L, 0L);
> if (luid == getuid() || luid == (uid_t)-1) {
> (void) fprintf(stderr,
> "Direct logins to this account are not allowed.\n");
> (void) audgenl(AUTH_EVENT, AUD_T_CHARP, "Invalid direct login",
> 0, NULL);
> return 1;
> }
> seteuid(getuid());
> (void) execl("/bin/sh", "-sh", NULL);
> perror("exec /bin/sh");
> return 1;
>}
It works beautifully, does exactly what I need it to do, and even more!!
BRAVO!!!! I especially like addition of the audit trail... OK, I'm a
control freak! 8-)
The other solutions offered were mostly changing the login shell to
something invalid, or to a shell script; which in my opinion are easy to
circumvent.
I thank the following for all of their replies:
Spider Boardman
Kevin Reardon
Jon Reeves
Phil Farrell
Bruce Whittaker
John Buchanan
--
Karl Marble
Unix Administrator & Webmaster
City of Worcester Information Services
Worcester, MA
mailto:marblek_at_city.ci.worcester.ma.us
http://www.ultranet.com/~kmarble (My 'at-work' page isn't finished yet)
Received on Mon Nov 04 1996 - 15:46:21 NZDT