Most Unix versions provide some mechanism for limiting direct
root logins to certain terminal lines. Note that
these mechanisms have no effect on the ability of a user to gain
root access via the
su command. We’ll consider the ones offered by
each operating system in turn.
As we’ve seen earlier in this chapter, FreeBSD allows you to state explicitly whether direct root logins may take place on a line-by-line basis via the secure keyword in /etc/ttys . For example, these entries allow root logins on the terminal connected to the first serial line, but not on the terminal connected to the second serial line:
# name getty type flags ttyd0 "/usr/libexec/getty std.9600" vt100 on secure ttyd1 "/usr/libexec/getty std.9600" vt100 on
FreeBSD also provides general user class-based terminal restrictions via the ttys.allow and ttys.deny attributes in /etc/login.conf. See Section 6.2 for details.
Under Solaris, if the file /etc/default/login contains a CONSOLE entry, direct root logins are limited to that device. For example, this entry limits root logins to the system console:
On HP-UX systems, the file /etc/securetty lists devices where root is allowed to log in. Here are some sample entries:
console tty00 tty01
Note that /dev/ is not included in the line designation. The HP-UX file restricts access to the listed terminal lines to privileged users, rather than applying only to root.
Tru64 uses the file /etc/securettys in a similar manner: