[Tiger-devel] [RFC] Moving some check_root checks into OS specific checks.

[Ryan Bradetich]

Hello all,

I really like the ideas presented in the check_root script, but I think
some of the checks need to be broken out into OS specific checks. 
Specifically I am thinking the /etc/securetty type checks.  The
application checks (like ftpusers, xdm, gdm, etc are fine).  I am  also
planning on adding a sshd check to this script.

The reason I believe the /etc/securetty types checks need to be system
specific is because the files have a meaning if they do not exist on the
system.

Take Linux and HP-UX for example:

If /etc/securetty is not present, then root is still allowed to login
from the network.  The generic check_root script does not take the
missing file into consideration, so the check is passed.

The other reason I think it would be nice to break this check out into
platform specific checks is different constraints and devices files can
be used for different platforms.

i.e. Linux has virtual consoles, and we usually allow root to login
remotely from the console and the virtual consoles.  HP-UX does not have
virtual consoles, so we usually only allow root to login remotely from
the console.  Linux uses for /dev/ttyp device files, where as HP-UX uses
/dev/pts/* device files.

Any thoughts and/or feedback?

Thanks,

- Ryan

P.S. I can produce the patches for HP-UX and Linux, but I do not
currerently have access to other platforms to test on.