From owner-freebsd-current Wed Nov 29 17:13:27 1995 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id RAA09961 for current-outgoing; Wed, 29 Nov 1995 17:13:27 -0800 Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id RAA09949 for ; Wed, 29 Nov 1995 17:13:06 -0800 Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id SAA29264; Wed, 29 Nov 1995 18:06:13 -0700 From: Terry Lambert Message-Id: <199511300106.SAA29264@phaeton.artisoft.com> Subject: Re: schg flag on make world in -CURRENT To: nate@rocky.sri.MT.net (Nate Williams) Date: Wed, 29 Nov 1995 18:06:13 -0700 (MST) Cc: terry@lambert.org, p.richards@elsevier.co.uk, freebsd-current@FreeBSD.ORG In-Reply-To: <199511300043.RAA22160@rocky.sri.MT.net> from "Nate Williams" at Nov 29, 95 05:43:07 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 770 Sender: owner-current@FreeBSD.ORG Precedence: bulk > > > I see some merit though in preventing root access period from insecure > > > pty's. If it was an added security level I'd be in favour of it. There > > > are machines where I'd like to disable remote root access completely. > > > > Good idea. If you bump the secure level, you have to use a secure line > > to enter the root password. This satisfy everyone? > > I think that's fair enough. If I hear you correctly, you'd have to > modify 'su' to only run on secure terminals if you are the non-default > secure level? Yes. A sysctl could return the information. You fail the check at the "wheel" group check in "su". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.