[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Vulnerability in HP sysdiag??? and securetty - clarification
From:       "Nicolas J. Hammond" <njhm () ns ! njh ! com>
Date:       1996-09-26 6:09:26
[Download RAW message or body]

Beebe, Todd wrote ...
> Funny thing..
>
> [...]
> annoying password.
>
> On a side note, if there are any SysAdmins out there using the
> /etc/securetty file as a means to disallow direct root login, don't. It
> also
> has a "bug" that HP support never gave me a answer for.  If you
> use xterm to login to your server it doesn't use the /etc/securetty file
> so the tty is not secure, you can get a direct login as root without
> any changes to the system.  I thought somewhere within C2 specifications
> it talked about disallowing direct root login....

This is not in the C2 requirements of the "Orange Book"
(the book that defines security class requirements)

--
Nicolas Hammond                                 NJH Security Consulting, Inc.
njhm@njh.com                                    211 East Wesley Road
404 262 1633                                    Atlanta
404 812 1984 (Fax)                              GA 30305-3774

[prev in list] [next in list] [prev in thread] [next in thread]