[Info-vax] prevent user login during and after startup
Norm Raphael
norman.raphael at verizon.net
Thu Sep 18 13:12:51 EDT 2014
> On 09/18/14, Henry Crun<mike at rechtman.com> wrote:
>
> On 18/09/14 06:29, Craig A. Berry wrote:
> > On 9/17/14, 1:24 PM, Stephen Hoffman wrote:
> >
> >> Get rid of OPER, and this particular problem goes away. Possibly some
> >> other problems, too, depending on what else OPER is being (mis)used for.
> >
> > One way to do that would be to allow specific users to impersonate an
> > account with OPER privilege, using, for example Jonathan Ridler's JUMP
> > utility, which can (if you want) log every keystroke executed while
> > under impersonation and otherwise monitor what's going on with the
> > impersonated account and who's doing the impersonation.
> >
> > The key point for the OP's particular problem is that they would have to
> > log into their own accounts first and could only acquire OPER privilege
> > via a separate step, so until they are already logged in they are just
> > non-privileged users and can be locked out via normal means.
> >
> Which suggests giving them "/priv=OPER/defprv=NOOPER" so that they can only
> obtain OPER privs *after* they login, perhaps even automagically through
> SYSLOGIN
...or LOGIN.COM
I like this the best so far, but it still depends on why any one of these users has OPER.
If it is to let them in when logins are disabled, a fight will ensue. If not, the above
should work fine, but it would still be a good idea to have the conversation about
OPER at some level, and maybe some other entitlements, also.
> --
> Mike R.
Norman F. Raphael
"Everything worthwhile eventually
degenerates into real work." -Murphy
More information about the Info-vax
mailing list