shell for certification exam

Jason Holt jason at
Wed Nov 9 00:46:03 MST 2005

On Tue, 8 Nov 2005, Alan K Melby wrote:

> Can you set up [Knoppix] Linux so that it is impossible, or at least 
> difficult, for a user to switch to a virtual terminaln without re-booting?

Thanks for keeping us on-task; it's easy to get distracted into abstract 
security discussions.

The file /etc/inittab controls what happens on the virtual terminals.  So 
users may be able to switch to them, but the inittab says whether there will 
be anything useful on them.  On my Ubuntu Linux machine, this is the part of 
the file I'd comment out (by adding # at the beginning of each line, just like 
the comment stuff at the top):

# /sbin/getty invocations for the runlevels.
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
# Format:
#  <id>:<runlevels>:<action>:<process>
# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6

The fact that it's running getty on each of the tty1-6 is what tells it to put 
login prompts on the virtual terminals.  This part of the file might also be 
something to comment out:

# What to do when CTRL-ALT-DEL is pressed.
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

One technique that can be very good at keeping users from playing around, but 
takes a little more setting up is called a "chroot jail".  chroot makes a 
program think that a particular directory is actually the root directory "/" 
of the entire system.  You can have chroot automatically run when the system 
starts and the default user is automatically logged in.  If you disable write 
permission for that user in the chroot directory, the user won't be able to 
create any files in the jail.  Then you put copies of just the programs the 
user is allowed to run inside the jail.


More information about the PLUG mailing list