[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Deny root access by telnet

Subject: Re: [cobalt-users] Deny root access by telnet
From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
Date: Sat Jun 24 17:17:44 2000
Organization: anonymous

On Fri, 23 Jun 2000 16:00:41 +0100, Smith Colin-WCCS07
<Colin.Smith@xxxxxxxxxxxx> wrote:

/snip/

:>> :>You should probably get hold of 'sudo' rather than giving 
:>> out su access.
:>> 
:>> What is this and where it is available?
:>
:>Sudo is a command that allows you to give specified accounts root permission
:>to run specified executables with specified arguments.
:>
:>http://www.courtesan.com/sudo/
:>
:>I think you'll have to build it and install it yourself. I don't think there
:>are any packages from Cobalt.

Before trying sudo and inet, I thought I would give a try at putting it all
together.

Here is what I did based on the posts in various threads. I came close to
shooting the system dead, so anyone reading this, please do read what I did
wrong and how I recovered carefully.

Telnet (not using ssh1) in as root:

Change the root password to be different than that of admin (not using the
GUI).

cp  /etc/securetty.master  /etc/securetty to prevent telnet logins to root
from the network.

pico -w /etc/ssh/sshd_conf to change PermitRootLogin yes to PermitRootLogin no
(to prevent ssh1 sessions to root).
cd /etc/rc.d/init.d
./sshd restart

logout of telnet and ssh1 to admin (tested ssh1 to root, it fails).

su to root

To allow only wheel group to su to root:

pico -w /etc/group and add admin and otheruser to wheel
cd /bin
chown .wheel su
chmod o-x su

Logout and ssh1 or telnet to admin, then try su:

[admin@www admin]$ su
Password:
su: cannot set groups: Operation not permitted (PANIC!)
[admin@www admin]$ 

Then

[admin@www /bin]$ ls su -al
-rwxr-xr--   1 root     wheel       30196 Feb  6  1998 su

[admin@www /bin]$ groups
users daemon wheel home admin

Looks OK, but it is NOT!

I next used SMB to delete securetty to allow root to telnet (gasp!!, thank you
Lord).

Then to fix it, I did 

[root@www /bin]# chgrp wheel su
[root@www /bin]# chmod u=rwxs,g=rx,o=r su
[root@www /bin]# ls su -al
-rwsr-xr--   1 root     wheel       30196 Feb  6  1998 su

The key here is that su needs u=s not u=x.

I then did the cp securetty.master securetty

Now all works.

Gulp.

Now where do I set alias items for the su session since profile and bashrc are
not executed when one does a su.

Thanks to all, hope this helps someone.

Mike.


-- 

  For information on the unofficial qube mailing list, see
  http://majordomo.email-lists.com/qube-users/

Follow-Ups:
- Re: [cobalt-users] Deny root access by telnet
  - From: Chuck
- Re: [cobalt-users] Deny root access by telnet
  - From: Jan Tietze

References:
- RE: [cobalt-users] Deny root access by telnet
  - From: Smith Colin-WCCS07

Prev by Date: Re: [cobalt-users] Permission denied
Next by Date: Re: [cobalt-users] Permission denied
Previous by thread: RE: [cobalt-users] Deny root access by telnet
Next by thread: Re: [cobalt-users] Deny root access by telnet

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index