Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uwmcsd1!marque!uunet!steinmetz!davidsen From: davidsen@steinmetz.ge.com (William E. Davidsen Jr) Newsgroups: comp.unix.questions Subject: Re: want to restrict root to su only Keywords: security, su, login, Message-ID: <11540@steinmetz.ge.com> Date: 15 Jul 88 16:20:08 GMT References: <7285@hqda-ai.ARPA> Reply-To: davidsen@crdos1.UUCP (bill davidsen) Organization: General Electric CRD, Schenectady, NY Lines: 28 In article <7285@hqda-ai.ARPA> jay@hqda-ai.ARPA (Jay Hiser) writes: | | As delivered by CCI and used by my predecessors for years, my hosts | allow root to login directly. Politics prevent me from limiting | access to the root password as much as I'd like, but I can get away | with making them use su only (they probably don't even know about the | su.log :) ). Unfortunately, I don't have access to the source for | login. My sys uses System V Rev 2 (CCI 2.22)). Root currently uses | sh, since I'm the only one who knows csh (no ksh yet). Suggestion; use this complex prigram as the login shell for root: #includemain() { fprintf(stderr, "Use your login and 'su' to root\n") sleep(2); exit(1); } This will keep anyone from using the root login, and thereby force them to do "su" into it. Some systems will use the login shell even when doing "su root" rather than "su - root", but most of these have the logname() call to allow checking on the original username. You caould also check wtmp if you need to get fancy. -- bill davidsen (wedu@ge-crd.arpa) {uunet | philabs | seismo}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me