Prevent ROOT using logging on as ROOT

Prevent ROOT using logging on as ROOT

Post by Wesolowski, Mi » Wed, 06 Nov 1996 04:00:00



Does anybody have a way to prevent the ROOT account from logging on as
ROOT?

I would like have the user use the SU so that I have a log of the
activity.

Thanks

Mike Wesolowski

City of Milwaukee Housing Authority


 
 
 

Prevent ROOT using logging on as ROOT

Post by James P. Ega » Thu, 07 Nov 1996 04:00:00



> Does anybody have a way to prevent the ROOT account from logging on as
> ROOT?

> I would like have the user use the SU so that I have a log of the
> activity.

> Thanks

> Mike Wesolowski

> City of Milwaukee Housing Authority



Using SMIT "Change / Show Characteristics of a User", you should be able
to Set "User can LOGIN?" to False, and "User can LOGIN REMOTELY?" to
False, and "Another user can SU TO USER?" to True and that should do it.

/Jim/
--

Integrated Architectures, Inc.  | http://www.iai.com
300 East Main Street, Suite 207 | Tel: 508-634-3200 x209
Milford, MA  01757              | Fax: 508-634-8381
Use PGP for more secure email

 
 
 

Prevent ROOT using logging on as ROOT

Post by Dwight Tov » Fri, 08 Nov 1996 04:00:00



|> >
|> > Does anybody have a way to prevent the ROOT account from logging on as
|> > ROOT?
|> >
|> > I would like have the user use the SU so that I have a log of the
|> > activity.
|> >
|> > Thanks
|> >
|> > Mike Wesolowski
|> >
|> > City of Milwaukee Housing Authority
|> >

|>
|> Using SMIT "Change / Show Characteristics of a User", you should be able
|> to Set "User can LOGIN?" to False, and "User can LOGIN REMOTELY?" to
|> False, and "Another user can SU TO USER?" to True and that should do it.
|>

Just make sure you can still login when the only filesystem that will come up is
the root filesystem.  If you have /usr as a seperate filesystem and your login
shell is /usr/bin/ksh, you won't be able to get in when /usr won't mount.  If you
also can't login as root because you've disabled it...

Always think long and hard about changing your root access.
        /dwight

--
Dwight N. Tovey              H&W Computer Systems, Inc.
Software Specialist III      12438 W. Bridger St.  Suite 100


I didn't claw my way to the top of the food chain to eat vegetables!!

 
 
 

Prevent ROOT using logging on as ROOT

Post by Michael Ab » Sat, 09 Nov 1996 04:00:00


Mike,
Use the chuser commmando or the associated smitty dialog
to change some of the user settings (e.g. LOGIN, REMOTE
LOGIN and SU) to achive what you want.

Here a screenshot:

                    Change / Show Characteristics of a User

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[MORE...5]                                              [Entry Fields]
  ADMINISTRATIVE GROUPS                              
[]                       +
-->  Another user can SU TO USER?                        
true                    +
-->  SU GROUPS                                          
[ALL]                    +
  HOME directory                                     [/home/root]
  Initial PROGRAM [0]                                 /bin/ksh]
  User INFORMATION[0]                                 ]
  EXPIRATION date (MMDDhhmmyy)                       [0]
  Is this user ACCOUNT LOCKED?                        
false                   +
-->  User can LOGIN?                             +      
true                    +
-->  User can LOGIN REMOTELY?                     #      
true                    +
  Allowed LOGIN TIMES[0]                       #      ]
  Number of FAILED LOGINS before                    
[0]                       #
       user account is locked
  Login AUTHENTICATION GRAMMAR                        compat]
[MORE...25]

F1=Help             F2=Refresh          F3=Cancel           F4=List
Esc+5=Reset         F6=Command          F7=Edit             F8=Image
F9=Shell            F10=Exit            Enter=Do

Many of our customers use that approach in order to be
"more secure". I would recommend to create a group
(e.g. named "admins") and change the root user that way
only members of that group may su to root.

HTH


Quote:Wesolowski, Mike writes:

Does anybody have a way to prevent the ROOT account from logging on as
ROOT?

I would like have the user use the SU so that I have a log of the
activity.

Thanks

Mike Wesolowski

City of Milwaukee Housing Authority


 
 
 

1. How do you prevent someone else from logging on as root from another host?

Do you know how to prevent another user from logging on as root from another
machine to your computer (Sun Solaris 2.x)?

For example, the other user (who is telneting or remote logging in from
computer "wilma") should only be able to login to a computer whose hostname is
"flintstone" as "root" user if and only if if he is on "flinstone."  He should
not be able to login as "root" user from "wilma."

Thanks.

-- A.D.

2. make: command unknown

3. How to prevent or log root users from editing file

4. Tcpdump needed

5. PPP error when only su to root; OK if logged in as root

6. Help - Inet <-> Linux <-> DOS

7. Can't log in as root, but can su root

8. Root daemon to grant right to telnet session

9. Linux root.root -> OBSD root.?

10. Once Again: Owner root.root on SAMBA shares using SMBFS

11. Root privilege using non-root account

12. logging into a linux box remotely as root using rsh with no password

13. newbie question: logging in as root using the su command