Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Protecting Unattended Terminals and Workstations


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Unattended workstations and terminals are extremely vulnerable to unauthorized users. Like a front door left unlocked, they are open to anyone. This section explains the following ways to reduce that risk:

  • Control access using /etc/inittab and run levels. Edit /etc/inittab to identify which devices should run at different run levels.

  • Protect terminal device files by denying world access to user terminal sessions.

  • Configure the screen lock.

Controlling Access Using /etc/inittab and Run Levels

A run level is a system state in which a specific set of processes is permitted to run. The processes and default run levels are defined in /etc/inittab. Run levels are 0 through 6, s, or S. If a process is not at the same run level as the system, it is terminated. If a process is at the same run level, it is started or it continues to execute.

Following is an example to enable terminals and modems to be run at selected run levels. Both ttp1 and ttp2 are at run levels 2 and 3.

ttp1:23:respawn:/usr/sbin/getty -h tty0p1 9600 ttp2:23:respawn:/usr/sbin/uugetty -h ttypd0p2 9600

Following is an example of changing run levels after normal work hours to disable terminals and modems using a cron job. During the day, the run level is 3 and the ttp1 and ttp2 terminals can be used because they are at run levels 2 and 3. At 8:00 a.m. from Monday through Friday, the system run level is set to 3:

# crontab -e

0 8 * * 1-5 /sbin/init 3

0 17 * * * /sbin/init 4

At 5:00 p.m. every day (the 17 in the previous example means 1700 hours or 5:00 p.m.), the system run level is changed to 4. The ttp1 and ttp2 terminals cannot operate after 5:00p.m. because they are at run levels 2 and 3.

Protecting Terminal Device Files

If an intruder gains access to an open terminal, they can redirect a command to another terminal window. In the following example, a remove (rm) command is redirected to /dev/tty0p0:

# echo "\r rm -r / \r\033d" > /dev/tty0p0

To prevent messages from writing to a terminal, you can use the mesg -n (or mesg n) command. This command revokes write permissions to users who do not have the appropriate privileges. See mesg(1) and write(1) for more information.

# vi ~/.shrc

mesg n

Another way to protect the workstation or terminal is to use the xhost command. See xhost(1) for more information. The xhost command defines the names of hosts and users who are allowed to make connections to the workstation.

# xhost +Another.system

To allow all systems and users to access the workstation, thereby turning access control off, use the following command:

# xhost +

Configuring the Screen Lock

This section discusses how to configure the screen lock using the TMOUT variable and the CDE lock manager.

Configuring the TMOUT Variable

You can configure the TMOUT variable to automatically lock inactive terminals.

If you use other systems often and if you copy the .profile file from one system to another, then adding the TMOUT variable to the .profile is more convenient. If you typically stay on one system, then either method of locking the terminal can be used.

To configure the TMOUT variable, edit the .profile file as shown in the following:

# vi ~/.profile

export TMOUT=600 # (lock after 600 seconds of inactivity)

You can change the 600 to another desired value.

Configuring the CDE Lock Manager

You can configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 10 minutes of inactive time, enter the following commands:

# cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources # vi /etc/dt/config/C/sys.resources dtsession*lockTimeout: 10

You can also use the Style Manager task panel to adjust the CDE lock manager. To do this, click on the screen icon.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.