Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 30 Jun 1999 11:30:04 -0700 (PDT)
From:      brooks@one-eyed-alien.net
To:        Anil Jangity <aj@entic.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: kill!!!
Message-ID:  <Pine.GSO.4.10.9906301127370.19730-100000@orion.ac.hmc.edu>
In-Reply-To: <Pine.BSF.4.10.9906300934030.6726-100000@shell.entic.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 30 Jun 1999, Anil Jangity wrote:

> I was wondering, is it possible/safe to make kill(1) to not allow it to
> kill a root process run from the console? Only the console should be able
> to kill those processes and no one else. 
> 
> The reason is, I leave a root login on the console at all times... just
> incase something stupid happens like the passwd is changed for root or you
> can no longer su to root etc because of a compromise or whatever, but if
> you have a logged in root already, it'll be easy to fix those. I was
> thinking making kill not be able to kill the shell after it was hacked
> etc. <rambling>

If you really wanted to, you could probalb implement that feature, but I
think it would require a higher secure level.  In reality, it's probably a
waste of time for your purposes.  See the commit message below (this was
also comitted to the RELENG_3 branch):

--<cut>--
peter       1999/04/03 20:36:50 PST

  Modified files:
    libexec/getty        gettytab.5 gettytab.h init.c main.c 
  Log:
  Add an 'al' (autologin username) capability to getty/gettytab.  This is a
  damn useful thing for using with serial consoles in clusters etc or secure
  console locations.  Using a custom gettytab entry for console with
  an entry like 'al=root' means that there is *always* a root login ready on
  the console.  This should replace hacks like those which go with conserver
  etc.  (This is a loaded gun, watch out for those feet!)
  
  Submitted by:  "Andrew J. Korty" <ajk@purdue.edu>
--<cut>--

-- Brooks



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.9906301127370.19730-100000>