Unattended workstations and terminals are extremely
vulnerable to unauthorized users. Like a front door left unlocked,
they are open to anyone. This section explains the following ways
to reduce that risk:
Control access using /etc/inittab and run levels. Edit /etc/inittab to identify
which devices should run at different run levels.
Protect terminal device files by denying world access
to user terminal sessions.
Configure the screen lock.
Controlling Access Using /etc/inittab and Run Levels |
 |
A run level is
a system state in which a specific set of processes is permitted to
run. The processes and default run levels are defined in /etc/inittab. Run levels are 0 through 6, s, or S. If
a process is not at the same run level as the system, it is terminated.
If a process is at the same run level, it is started or it continues
to execute.
Following is an example to enable terminals and
modems to be run at selected run levels. Both ttp1 and ttp2 are at run levels 2 and 3.
ttp1:23:respawn:/usr/sbin/getty -h tty0p1 9600
ttp2:23:respawn:/usr/sbin/uugetty -h ttypd0p2 9600 |
Following is an example of changing run levels
after normal work hours to disable terminals and modems using a cron job. During the day, the run level is 3 and the ttp1 and ttp2 terminals can be used
because they are at run levels 2 and 3. At 8:00 a.m. from Monday through
Friday, the system run level is set to 3:
0 8 * * 1-5 /sbin/init 3
0 17 * * * /sbin/init 4
At 5:00 p.m. every day (the 17 in the previous example means 1700 hours or 5:00 p.m.), the system
run level is changed to 4. The ttp1 and ttp2 terminals cannot operate after 5:00p.m. because they
are at run levels 2 and 3.
Protecting Terminal Device Files |
|
If an intruder gains access to an open terminal,
they can redirect a command to another terminal window. In the following
example, a remove (rm) command is redirected to /dev/tty0p0:
# echo
"\r rm -r / \r\033d" > /dev/tty0p0
To prevent messages from writing to a terminal,
you can use the mesg -n (or mesg n) command. This command revokes write permissions to users who do
not have the appropriate privileges. See mesg(1) and write(1) for more information.
# vi
~/.shrc
mesg n
Another way to protect the workstation or terminal
is to use the xhost command. See xhost(1) for more information. The xhost command defines the names of hosts and users who are allowed to
make connections to the workstation.
# xhost
+Another.system
To allow all systems and users to access the workstation,
thereby turning access control off, use the following command:
# xhost
+
Configuring the Screen Lock |
|
This section discusses how to configure the screen lock using
the TMOUT variable and the CDE lock manager.
Configuring the TMOUT Variable
You can configure the TMOUT variable to automatically lock inactive terminals.
If you use other systems often and if you copy
the .profile file from one system to another,
then adding the TMOUT variable to the .profile is more convenient. If you typically stay on
one system, then either method of locking the terminal can be used.
To configure the TMOUT variable,
edit the .profile file as shown in the following:
# vi
~/.profile
export TMOUT=600 # (lock after
600 seconds of inactivity)
You can change the 600 to another desired value.
Configuring the CDE Lock Manager
You can configure the CDE lock manager to lock
your screen after a certain amount of inactive time. To configure
the CDE lock manager to lock the screen after 10 minutes of inactive
time, enter the following commands:
# cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources
# vi /etc/dt/config/C/sys.resources
dtsession*lockTimeout: 10 |
You can also use the Style Manager task panel to
adjust the CDE lock manager. To do this, click on the screen icon.
Printable version
