Included below is a "shar" archive which contains:
1. a ".profile" for root
2. source for "singleuserlock"
3. a Makefile
The combination of these will provide "some" security. What happens
is this: when the machine is booted in singleuser mode, root's /.profile
executes the "singleuserlock" program which requires that a password be
entered. It also allows the user to "reboot" or "halt" the machine, and
it allows you to go into a "backup" command (we have one locally) to
provide the operator a way to do single-user backups.
Feel free to copy, modify and improve! If you improve it, please send
me the changes.
No, this is not a fool-proof method of providing the security you would
like. However, it helps.
Enjoy.
Charles Sandel
sandel@mcc.com
---------------------<cut here for singleuserlock.shar>-------------------
# This is a shell archive. Remove anything before this line,
# then unpack it by saving it in a file and typing "sh file".
#
# Wrapped by farad.sw.mcc.com!sandel on Mon Apr 9 09:36:53 CDT 1990
# Contents: profile singleuserlock.c Makefile
echo x - profile
sed 's/^@//' > "profile" <<'@//E*O*F profile//'
trap "" 3
trap "" 8
trap "" 18
###### STP /.profile ######
PATH=/etc:/usr/etc:/usr/ucb:/bin:/usr/bin:.
TZ=CST6CDT
export PATH TZ
###### Use a locking program to prompt for password when single-user ######
BACKUP=/etc/backup
SULOCK=/etc/.singleuserlock
###### Check for a marker file, "/netup", left by the "singleuser" program.
###### If it exists, bring up the network interface for remote access.
NETUP=/netup
if [ -f $NETUP ]; then
rm -f $NETUP
((/bin/domainname stp ; \
/usr/etc/portmap; \
/usr/etc/ypbind; \
/usr/etc/inetd )&) >/dev/null 2>&1
echo "Access temporarily restricted." > /etc/nologin
fi
if [ -x $BACKUP ]; then
echo ""
echo -n "Do you want to do backups? (y/n)"
read answer
case "$answer" in
y*|Y*)
exec $BACKUP ;;
esac
fi
PATH=$PATH:/usr/hosts:/usr/local/bin:/usr/local/etc
stty dec
echo "Entering single-user mode."
if [ -x $SULOCK ]; then
$SULOCK
fi
trap 3
trap 8
trap 18
TERM=sun
USER=root
HOME=/
export TERM USER HOME
###### End STP /.profile ######
@//E*O*F profile//
chmod u=rw,g=r,o=r profile
echo x - singleuserlock.c
sed 's/^@//' > "singleuserlock.c" <<'@//E*O*F singleuserlock.c//'
/* example written by Bruce G. Barnett <barnett@ge-crd.arpa> */
#include <stdio.h>
#include <signal.h>
#include <pwd.h>
#include <sys/reboot.h>
#include <sys/time.h>
#include <errno.h>
#define ROOT_UID 0
#define MAXTRIES 4 /* number of tries for password */
#define ALARM 60 /* seconds for alarm */
#define INIT_PID 1 /* PID of init */
struct passwd *pwd;
struct passwd *getpwuid();
char *strcpy();
char *crypt();
char *getpass();
char *pw;
char pwbuf[32];
int numtries;
int timeout();
main()
{
(void) signal(SIGINT, SIG_IGN);
(void) signal(SIGQUIT, SIG_IGN);
(void) signal(SIGTSTP, SIG_IGN);
(void) signal(SIGALRM, timeout);
/* get the password entry for root */
/* use 0 if you want to hard-wire the passwd for root */
/* else use getuid() */
if(geteuid() != ROOT_UID) {
(void) fprintf(stderr, "Permission denied.\n");
exit(1);
}
pwd=getpwuid(ROOT_UID);
if (pwd == NULL ) {
(void) fprintf(stderr,"Cannot get password entry for root.\n");
doreboot(RB_HALT);
}
(void) alarm(ALARM);
while (numtries<MAXTRIES) {
(void) fprintf(stderr,
"Enter: root password, \"halt\", or \"reboot\".\n");
(void) strcpy(pwbuf, getpass("Password:"));
pw = crypt(pwbuf, pwd->pw_passwd);
if (strcmp(pw, pwd->pw_passwd) == 0 )
exit(0);
if(strcmp(pwbuf, "halt") == 0) {
(void) fprintf(stderr, "System halting...\n");
doreboot(RB_HALT);
}
if(strcmp(pwbuf, "reboot") == 0) {
(void) fprintf(stderr, "System rebooting...\n");
doreboot(RB_AUTOBOOT);
}
(void) fprintf(stderr, "Incorrect password.\n");
numtries++;
}
(void) alarm(0);
(void) fprintf(stderr, "Root login failed. System halting....\n");
doreboot(RB_HALT);
}
timeout()
{
(void) alarm(0);
(void) fprintf(stderr, "\nTime out after %d seconds.\n", ALARM);
(void) fprintf(stderr, "System halting...\n");
doreboot(RB_HALT);
}
doreboot(howto)
int howto;
{
int i;
extern int errno;
(void) alarm(0);
sync();
if(kill(INIT_PID, SIGTSTP) == -1)
(void) fprintf(stderr, "Can't idle init.\n");
sleep(1);
(void) kill(-1, SIGTERM);
sleep(5);
sync();
for(i=0; ; i++) {
if(kill(-1, SIGKILL) == -1) {
if(errno == ESRCH)
break;
}
if(i>5) {
(void) fprintf(stderr,
"CAUTION: some process(es) wouldn't die.\n");
break;
}
}
sync();
reboot(howto);
/* If the reboot() fails, make sure that the system does nothing */
pause();
}
@//E*O*F singleuserlock.c//
chmod u=r,g=rw,o=r singleuserlock.c
echo x - Makefile
sed 's/^@//' > "Makefile" <<'@//E*O*F Makefile//'
SRC=singleuserlock.c
BIN=singleuserlock
BINDIR=/etc
MANDIR=/usr/man/manl
CFLAGS=-O -s -Bstatic
all: singleuserlock
${BIN}: ${SRC}
cc ${CFLAGS} ${SRC} -o ${BIN}
install: ${BIN}
install -o root -g staff -m 755 ${BIN} ${BINDIR}/.${BIN}
clean:
rm -f ${BIN} *.o core
@//E*O*F Makefile//
chmod u=rw,g=rw,o=r Makefile
exit 0
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:10 CDT