Locking out root!

This is not as far fetched as it sounds; every Macintosh OS X system comes configured in this way: it is impossible to log in as root.

How does one do things as root then? I shall reveal the secret…

First of all, one needs to make sure that the program sudo is available and correctly configured. It must be configured to allow you (or the system owner) to switch to root. Best to test this directly before doing anything to the root account.

Once you have verified that you can switch to root using sudo, then it is time to actually lock the root account. Before doing so, open a root shell using sudo or a direct log in as root. Then execute:

# passwd -l root

There! Now no one can log in as root – don’t you feel much better? Well…. you can become root (by using sudo) but logging in directly as root is impossible.

If passwd does not recognize the -l option, then just put an asterisk (*) into the password field, wherever it is. HP-UX, Linux, and Solaris all recognize the -l option; FreeBSD uses the -l option for a different purpose.

For FreeBSD (and quite probably, OpenBSD and NetBSD as well), use the vipw command to lock out not only the root account, but the toor account as well. The toor account is identical to the root account (including userid) but allows user customization.

When combined with the wheel group, this will lock down your root account quite effectively. Just don’t stop there: remember to use multiple defenses. However, that’s a topic for another day.

Update: This is most useful in situations where a normal user will always have access (workstations come to mind).  If your normal users are authenticated via NIS, or Active Directory, or LDAP, don’t do this! If root logins are locked out, and none of the users can log in…….. then what?  Uh oh….

Researching the Dynamic Loader on Any System

In finding information about the dynamic loader and shared libraries in general, there are several places to look. The obvious Internet location is Google; however, the system itself has a lot of information about shared libraries if one only knows where to look.

The first place is the information on the dynamic loader’s man page. Unfortunately, most loaders have names that are unique among their UNIX peers (Linux is almost universal). You can start by looking at the /lib directory for a program containing the string “ld” (or perhaps, “dl”). On Linux, this produces:

# ls -d *ld*
ld-2.6.so ld-linux.so.2

The proper Linux loader is ld-linux.so.

On HP-UX, this produces:

# ls -d *ld*
dld.sl* libdld.2* libldap_send.1*
libdld.0@ libdld.sl@ libldap_send.sl@
libdld.1* libldap.sl@ libnss_ldap.1*

Here, the proper loader is dld.sl.

Looking at the man pages for ld-linux.so or dld.sl or whatever was found gives a vast amount of information directly related to the dynamic loader and how it loads shared libraries, as well as debugging tools to report on how the libraries are found and loaded.

This man page will also mention utilities that will help you manipulate shared libraries. For example, the Linux man page for ld-linux.so mentions ldconfig(8); the HP-UX man page for dld.sl mentions the utilities fastbind(8) and chatr(8).

There are other utilities that remain fairly generic and which can help, though these tend to be specific to machines that are configured for development. If the development tools are not loaded, these tools may be missing. These utilities may include:

• ldd – list libraries used by a binary
• nm – list symbols from program binaries and/or libraries
• objdump – display information from binaries and/or libraries
• readelf – display information from ELF-formatted binaries

Always look at the SEE ALSO section in order find more information.

Using the Wheel Group in HP-UX (or UNIX in general)

Many versions of UNIX do not support the wheel group at all. Hewlett-Packard’s HP-UX is one of these. The main focus and purpose of a wheel group can be summarized thus: Not everyone should be able to run the su command.

To accomplish this does not require a lot. First, the wheel group must be created. Add the group to the /etc/group file:

wheel:*:0:root,dgd

It is not necessarily required that the wheel group occupies userid 0 – but it is entirely appropriate. Don’t forget to add yourself (your normal userid) to this group. Next step is to check the su command:

# ls -ld `which su`
-r-sr-xr-x 1 root bin 19588 Mar 20 2005 /usr/bin/su

Note that this binary is suid; this must be preserved in order for su to work properly. However, the permissions and group ownership must change in order for the wheel group to work properly. Two things must be changed:

1. World permissions (“other”) must be revoked
2. Wheel group members must be able to execute this command

These requirements can be satisfied in this manner:

# chmod 4550 `which su`
# chown root:wheel `which su`

This is only the beginning – but satisfies the initial requirements. The rest is optional, but makes things easier for the administrators in the wheel group. In particular, change the permissions on log files to allow those that are members of the wheel group to read them without having to use switch to root.