Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uwmcsd1!marque!uunet!steinmetz!davidsen
From: davidsen@steinmetz.ge.com (William E. Davidsen Jr)
Newsgroups: comp.unix.questions
Subject: Re: want to restrict root to su only
Keywords: security, su, login,
Message-ID: <11540@steinmetz.ge.com>
Date: 15 Jul 88 16:20:08 GMT
References: <7285@hqda-ai.ARPA>
Reply-To: davidsen@crdos1.UUCP (bill davidsen)
Organization: General Electric CRD, Schenectady, NY
Lines: 28

In article <7285@hqda-ai.ARPA> jay@hqda-ai.ARPA (Jay Hiser) writes:
| 
| As delivered by CCI and used by my predecessors for years, my hosts
| allow root to login directly.  Politics prevent me from limiting
| access to the root password as much as I'd like, but I can get away
| with making them use su only (they probably don't even know about the
| su.log :) ).  Unfortunately, I don't have access to the source for
| login.  My sys uses System V Rev 2 (CCI 2.22)).  Root currently uses
| sh, since I'm the only one who knows csh (no ksh yet).

Suggestion; use this complex prigram as the login shell for root:

	#include 
	main() {
	  fprintf(stderr, "Use your login and 'su' to root\n")
	  sleep(2);
	  exit(1);
	}

This will keep anyone from using the root login, and thereby force them
to do "su" into it. Some systems will use the login shell even when
doing "su root" rather than "su - root", but most of these have the
logname() call to allow checking on the original username. You caould
also check wtmp if you need to get fancy.
-- 
	bill davidsen		(wedu@ge-crd.arpa)
  {uunet | philabs | seismo}!steinmetz!crdos1!davidsen
"Stupidity, like virtue, is its own reward" -me