Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: galvin-peter@cs.yale.edu (Peter Baer Galvin)
Newsgroups: comp.sys.sun
Subject: Re: Asking for root passwd when booting single user
Message-ID: <43947@yale-celray.yale.UUCP>
Date: 4 Dec 88 04:45:24 GMT
References: <2212@kalliope.rice.edu>
Sender: usenet@rice.edu
Organization: Rice University, Houston, Texas
Lines: 32
Approved: Sun-Spots@rice.edu
Original-Date: 23 Nov 88 18:23:06 GMT
X-Sun-Spots-Digest: Volume 7, Issue 37, message 8 of 12

It depends on the version of SunOS you are running.  Under 4.0 official
support is provided: in the /etc/ttytab file of the client, make sure the
console is NOT set secure.  touch the file /etc/securetty

A root password will then be needed before a single user boot is allowed.
Failure to give the root password will result in a multi-user boot.  

On "lesser" versions, you can put the command

	login root

as the first line of the file /.profile but only if root uses the csh
shell by default.  Booting single user runs a bourne shell, in which case
the .profile file is read and a root login required.  Note that this isn't
as secure as the 4.0 method.  Also note that if the root password is not
provided, a multi-user boot is done WITHOUT an fsck being done on the
clients disks - which is somewhat undesirable.

As an aside, is should be noted that no matter what, a system isn't secure
if it's console isn't.  Even under SunOS 4.0 it is possible to break into
a system (even with security options set) if a system breaker has access
to the workstation console.  I know of one method in particular that a
coworker here discovered.  I'll try to get him to post the method to the
newly restarted security mailing list, since there's a fix to at least
make the job harder.

					      --Peter

Peter Baer Galvin       		      (203)432-1254
Senior Systems Programmer, Yale Univ. C.S.    galvin-peter@cs.yale.edu
51 Prospect St, P.O.Box 2158, Yale Station    ucbvax!decvax!yale!galvin-peter
New Haven, Ct   06457			      galvin-peter@yalecs.bitnet