Re: SUN L1-A and b -s

From: Charles Sandel (sandel%SW.MCC.COM@mcc.com)
Date: Fri Feb 01 1991 - 17:53:01 CST


Included below is a "shar" archive which contains:
        1. a ".profile" for root
        2. source for "singleuserlock"
        3. a Makefile

The combination of these will provide "some" security. What happens
is this: when the machine is booted in singleuser mode, root's /.profile
executes the "singleuserlock" program which requires that a password be
entered. It also allows the user to "reboot" or "halt" the machine, and
it allows you to go into a "backup" command (we have one locally) to
provide the operator a way to do single-user backups.

Feel free to copy, modify and improve! If you improve it, please send
me the changes.

No, this is not a fool-proof method of providing the security you would
like. However, it helps.

Enjoy.
Charles Sandel
sandel@mcc.com

---------------------<cut here for singleuserlock.shar>-------------------

# This is a shell archive. Remove anything before this line,
# then unpack it by saving it in a file and typing "sh file".
#
# Wrapped by farad.sw.mcc.com!sandel on Mon Apr 9 09:36:53 CDT 1990
# Contents: profile singleuserlock.c Makefile
 
echo x - profile
sed 's/^@//' > "profile" <<'@//E*O*F profile//'
trap "" 3
trap "" 8
trap "" 18

###### STP /.profile ######

PATH=/etc:/usr/etc:/usr/ucb:/bin:/usr/bin:.
TZ=CST6CDT
export PATH TZ

###### Use a locking program to prompt for password when single-user ######
BACKUP=/etc/backup
SULOCK=/etc/.singleuserlock
###### Check for a marker file, "/netup", left by the "singleuser" program.
###### If it exists, bring up the network interface for remote access.
NETUP=/netup

if [ -f $NETUP ]; then
        rm -f $NETUP
        ((/bin/domainname stp ; \
          /usr/etc/portmap; \
          /usr/etc/ypbind; \
          /usr/etc/inetd )&) >/dev/null 2>&1
        echo "Access temporarily restricted." > /etc/nologin
fi
if [ -x $BACKUP ]; then
        echo ""
        echo -n "Do you want to do backups? (y/n)"
        read answer
        case "$answer" in
                y*|Y*)
                        exec $BACKUP ;;
        esac
fi

PATH=$PATH:/usr/hosts:/usr/local/bin:/usr/local/etc
stty dec
echo "Entering single-user mode."
if [ -x $SULOCK ]; then
        $SULOCK
fi

trap 3
trap 8
trap 18

TERM=sun
USER=root
HOME=/
export TERM USER HOME
###### End STP /.profile ######
@//E*O*F profile//
chmod u=rw,g=r,o=r profile
 
echo x - singleuserlock.c
sed 's/^@//' > "singleuserlock.c" <<'@//E*O*F singleuserlock.c//'
/* example written by Bruce G. Barnett <barnett@ge-crd.arpa> */
#include <stdio.h>
#include <signal.h>
#include <pwd.h>
#include <sys/reboot.h>
#include <sys/time.h>
#include <errno.h>

#define ROOT_UID 0
#define MAXTRIES 4 /* number of tries for password */
#define ALARM 60 /* seconds for alarm */
#define INIT_PID 1 /* PID of init */

struct passwd *pwd;
struct passwd *getpwuid();
char *strcpy();
char *crypt();
char *getpass();
char *pw;
char pwbuf[32];
int numtries;
int timeout();

main()
{
        (void) signal(SIGINT, SIG_IGN);
        (void) signal(SIGQUIT, SIG_IGN);
        (void) signal(SIGTSTP, SIG_IGN);
        (void) signal(SIGALRM, timeout);

/* get the password entry for root */

/* use 0 if you want to hard-wire the passwd for root */
/* else use getuid() */

        if(geteuid() != ROOT_UID) {
                (void) fprintf(stderr, "Permission denied.\n");
                exit(1);
                }
        pwd=getpwuid(ROOT_UID);
        if (pwd == NULL ) {
                (void) fprintf(stderr,"Cannot get password entry for root.\n");
                doreboot(RB_HALT);
                }

        (void) alarm(ALARM);
        while (numtries<MAXTRIES) {
                (void) fprintf(stderr,
                        "Enter: root password, \"halt\", or \"reboot\".\n");
                (void) strcpy(pwbuf, getpass("Password:"));
                pw = crypt(pwbuf, pwd->pw_passwd);
                if (strcmp(pw, pwd->pw_passwd) == 0 )
                        exit(0);
                if(strcmp(pwbuf, "halt") == 0) {
                        (void) fprintf(stderr, "System halting...\n");
                        doreboot(RB_HALT);
                        }
                if(strcmp(pwbuf, "reboot") == 0) {
                        (void) fprintf(stderr, "System rebooting...\n");
                        doreboot(RB_AUTOBOOT);
                        }
                (void) fprintf(stderr, "Incorrect password.\n");
                numtries++;
        }
        (void) alarm(0);
        (void) fprintf(stderr, "Root login failed. System halting....\n");
        doreboot(RB_HALT);
}

timeout()
{
        (void) alarm(0);
        (void) fprintf(stderr, "\nTime out after %d seconds.\n", ALARM);
        (void) fprintf(stderr, "System halting...\n");
        doreboot(RB_HALT);
}

doreboot(howto)
int howto;
{
        int i;
        extern int errno;

        (void) alarm(0);
        sync();
        if(kill(INIT_PID, SIGTSTP) == -1)
                (void) fprintf(stderr, "Can't idle init.\n");
        sleep(1);
        (void) kill(-1, SIGTERM);
        sleep(5);
        sync();
        for(i=0; ; i++) {
                if(kill(-1, SIGKILL) == -1) {
                        if(errno == ESRCH)
                                break;
                        }
                if(i>5) {
                        (void) fprintf(stderr,
                                "CAUTION: some process(es) wouldn't die.\n");
                        break;
                        }
                }

        sync();

        reboot(howto);

        /* If the reboot() fails, make sure that the system does nothing */
        pause();
}
@//E*O*F singleuserlock.c//
chmod u=r,g=rw,o=r singleuserlock.c
 
echo x - Makefile
sed 's/^@//' > "Makefile" <<'@//E*O*F Makefile//'
SRC=singleuserlock.c
BIN=singleuserlock
BINDIR=/etc
MANDIR=/usr/man/manl
CFLAGS=-O -s -Bstatic

all: singleuserlock

${BIN}: ${SRC}
        cc ${CFLAGS} ${SRC} -o ${BIN}

install: ${BIN}
        install -o root -g staff -m 755 ${BIN} ${BINDIR}/.${BIN}

clean:
        rm -f ${BIN} *.o core
@//E*O*F Makefile//
chmod u=rw,g=rw,o=r Makefile
 
exit 0



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:10 CDT