Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Oct 2000 13:50:07 -0400 (EDT)
From:      Christopher Rued <c.rued@xsb.com>
To:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Cc:        roman <roman@devnulltech.com>, questions@FreeBSD.ORG
Subject:   Re: Securing SU
Message-ID:  <14811.28111.697039.622241@chris.xsb.com>
In-Reply-To: <Pine.BSF.4.21.0010041251010.22462-100000@prime.gushi.org>
References:  <20001004130520.A25331@nougat.stickynetworks.com> <Pine.BSF.4.21.0010041251010.22462-100000@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dan Mahoney, System Admin writes:
 > On Wed, 4 Oct 2000, roman wrote:
 > 
 > > > I was wondering if there was a way to configure su so that it would
 > > > disallow a user access if they're telnetted in.  (but, say, allow them if
 > > > they have sshed in).
 >  
 > > what about sudo? 
 > > 
 > > better than su, because you get to control who gets to do what as root. 
 > 
 > Oh, I have four people who have root, and need it.  My web guy, my cgi
 > guy, myself and my assistant...All of us need full root, and all are
 > trusted (in fact one is a cousin and one is a fiancee).
 > 
 > At the same time, we provide shells, so leaving telnet open to all is
 > necessary.
 > 
 > I just need to enforce the "don't use telnet if you're gonna SU, you
 > bonehead" rule.
 > 
 > I guess this could best be done with even a shell script, where the script
 > looks at what terminal it's running on, and sees if telnetd is talking on
 > that port.  If it is, it rejects root.  Of course, one can override this
 > by running screen (which uses multiple ptys)...Anyone have a cleaner
 > answer?

The best thing to do is probably to disable telnet entirely.  Then
they /have/ to ssh in.  Another thought: perhaps create a script that
checks to see if they are connected with ssh.  If they are, execute
the su command.  Otherwise, print a message: "don't use telnet if
you're gonna SU, you bonehead."  It seems that SSH sets an environment
variable called SSH2_CLIENT (for ssh2, anyway).  You may also want to
allow people to SU from the console, if they have access to it.

Then you just have to make sure that they use the script instead of
the real SU.

I don't know of any nice way of doing it, though I wouldn't be
surprised if there was one...

					-Chris


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14811.28111.697039.622241>