*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> sulogin (8)              



NAME    [Toc]    [Back]

       sulogin - single-user login program (Enhanced Security)

SYNOPSIS    [Toc]    [Back]


DESCRIPTION    [Toc]    [Back]

       The sulogin program is run by the init process on the console
 terminal when entering single-user mode.  The sulogin
       program  checks  the  system  configuration  to  determine
       whether entering single-user mode  requires  entering  the
       root  password.   If  it  does  not,  then  sulogin  execs
       /sbin/sh with its argv[0] set to "-". That  same  exec  is
       also done if the root password is correctly entered.

       The  decision to enter the single-user mode depends on the
       state of the system configuration  files.   If  the  files
       cannot  be  read,  then defaults are assumed (as described
       below). Therefore, the loss of a configuration  file  does
       not prevent access to the system console for repairing the

       The sulogin program first checks the  /etc/rc.config  file
       for  a the SECURE_CONSOLE variable.  If such a variable is
       present, and it is set to a  true  value  (either  "TRUE",
       "ON",  "YES",  or "1"), then the program asks for the root
       password. The value  of  the  SECURE_CONSOLE  variable  is
       checked  in a case-independent fashion, and only a minimal
       match is necessary. Thus,  the  value  is  really  checked
       against the following regular expression:

       If  the  SECURE_CONSOLE  variable is present, but does not
       have one of the true values, then sulogin does not ask for
       the root password, but simply execs /sbin/sh as previously

       If  the  SECURE_CONSOLE  variable  is  not  found  in  the
       /etc/rc.config file, or if that file is missing or unreadable,
 then an attempt is made to obtain the value  of  the
       console firmware setting of the SECURE variable, using the
       GSI_PROM_ENV function of the getsysinfo() system call.  If
       the  check  determines  the console commands are passwordprotected,
 the sulogin program requests the root password.

       If sulogin has made the decision to request the root password,
 it also determines whether BASE or ENHANCED security
       should  be  used  to  validate that password. This is done
       using  the  value  of  the  SECURITY  variable  from   the
       /etc/rc.config file, unless that file was not readable, in
       which case the /etc/sia/matrix.conf file is read,  looking
       for a line beginning with the string "siad_ses_init=", and
       containing  either   "(OSFC2,"   or   "(BSD,".    If   the
       /etc/rc.config  file  was readable, but the SECURITY variable
 was not set, then BASE security is assumed.  (This is
       how   the  /sbin/init.d/security  script  initializes  the
       /etc/sia/matrix.conf file, as well). If the /etc/rc.config
       file  can  not  be  read and the /etc/sia/matrix.conf file
       either can not be read or does  not  have  an  appropriate
       siad_ses_init line, then the sulogin program checks to see
       whether the /etc/passwd file contains a  valid  entry  for
       root and whether the getespwnam("root") function returns a
       valid extended profile. If both profile entries exist, but
       only  one  has a valid encrypted password field, that profile
 (and thus that security policy)  is  used.   If  both
       passwords are valid, the BASE security policy is used.

       Once  the  sulogin  program  has determined which security
       policy to use, it checks whether that policy has  a  valid
       account  entry for user root (if not already checked while
       determining which policy to use), and whether  that  entry
       has  a  password  that can be matched.  If the password is
       impossible to match, or if no valid root  profile  exists,
       then sulogin prints a warning and execs /sbin/sh as previously
 described.  For  BASE  security,  a  null  encrypted
       password  field  for  root  causes  the  program  to  exec
       /sbin/sh without complaining.

       If there is a matchable root password, sulogin prints  out
       "Single-user root login" and prompts for the password.  If
       the entered password does not match (after the appropriate
       encryption  if  non-null), the program waits for 5 seconds
       (to deter break-in attempts,  displays  "Sorry",  and  reprompts.
   If  the  program is interrupted or receives and
       end-of-file condition while attempting to read a  password
       from  the console terminal, it simply exits. This normally
       causes init to enter multi-user mode (It depends on system
       configuration  information  in  /etc/inittab, specifically
       the entry marked with "initdefault", which ships  at  runlevel
  "3").  This may also cause init to prompt for a run
       level, or to restart the sulogin program.

       Finally, if a password was collected, and  it  did  match,
       the  exec  of  /sbin/sh  is done.  If that exec fails, the
       reason for the  failure  is  displayed,  and  the  program
       sleeps for 5 seconds before exiting.  Upon exiting control
       of the console is returned to the init process, as  previously
 described for interrupt or end-of-file.

FILES    [Toc]    [Back]




       /tcb/files/auth.db (/tcb/files/auth/r/root)

SEE ALSO    [Toc]    [Back]

       login(1),    getpwnam(3),   getespwnam(3),   dispcrypt(3),
       matrix.conf(4), init(8)


[ Back ]
 Similar pages
Name OS Title
auth_for_terminal_es Tru64 determine whether a given user is authorized for login on a given terminal (Enhanced Security)
locked_out_acct_es Tru64 determine if passwordmanagement disallows user login (Enhanced Security)
locked_out_es Tru64 determine if passwordmanagement disallows user login (Enhanced Security)
setluid Tru64 Get or set the login UID (Enhanced Security)
getluid Tru64 Get or set the login UID (Enhanced Security)
sulogin Linux Single-user login
exit_quiet_zone Tru64 Prevent keyboard interruption of program actions (Enhanced Security)
enter_quiet_zone Tru64 Prevent keyboard interruption of program actions (Enhanced Security)
check_auth_parameters Tru64 Get or check user or group IDs (Enhanced Security)
pw_nametoid Tru64 Map between user and group names and IDs (Enhanced Security)
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service