UNIX for Dummies Questions & Answers

So just comment out or remove the line from /etc/inittab then

---------- Post updated at 10:41 ---------- Previous update was at 10:20 ----------

And again "you was able to init 5", but the others on the box? can they do so?
I think you still havent learnt the main thing : ROOT is GOD in unix...
Anyone root can do what he wants, just look at you! You are not connected as ping are you? And second thing after that is never connect unless needed (maintenance) as root but use su/sudo or equivalent.
There is a way to secure a box in a way there is no root account: It by using RBAC, but I tell you, the day you forget the name/passwd of the account which can grant you root privilege, you are doomed...

You are right but then i just wanted to disable the display (I know root can enable it again).
and root can do anything but some security guides says you need to remove execute permissions for root as well(to prevent accidental executing of some commands).
This is just a precaution taken to avoid executing init 5 and getting into graphical mode by root.
Is there any good method other than this?

That is why you should not be connected as root, and always use root privilege to its strictly minimum, when absolutely necessary...
In other words, unless you are bringing down the server for maintenance (and so you are in front of the console) you should never see a root connection...
you cant avoid root to type init 5, but you could limit root access by not using it as described previously, the TRUE first precaution is to give root access only to people that are in charge of the system. Its not the root access that is dangerous its the person using it!

---------- Post updated at 12:39 ---------- Previous update was at 12:28 ----------

You could perhaps look if you cannot like in HP-UX let only people belonging to a choosen group to be allowed to su root (that will limit the access if someone unauthorized gets hold of root passwd...) and use sudo yourself without passwd ( in case you are stressed by hierarchy to connect "as" and looking over your shoulders...)

---------- Post updated at 13:04 ---------- Previous update was at 12:39 ----------

That said, I agree with you on one point:
I noticed that (HP-UX) although:

Code:

ant:/home/vbe $ more /etc/securetty
console

I noticed that someone distant can connect using X via XDMCP and connect as root...
And so I went through X config files to find a way of blocking... but again who has root passwd? (In my case I was fighting against "collegues" who do have root passwd and use it rather than using their own account and "su"...)

---------- Post updated at 16:15 ---------- Previous update was at 13:04 ----------

Have a look at:
How can I enable/disable CDE (dtlogin)?

---------- Post updated at 16:21 ---------- Previous update was at 16:15 ----------

On my HP and IBM boxes I have a file : /usr/dt/config/Xstartup
copy it in /etc:

Code:

cp /usr/dt/config/Xstartup /etc/dt/config/Xstartup

#   -> edit /etc/dt/config/Xstartup with vi,
#   -> Add the following:
if [ $USER = root ]; then
exit 1
fi

I could see that you have xinetd is configured; meaning the /etc/xinetd.conf file has the configuration to invoke X on demand.

You actually don't need to rename the /etc/X11/prefdm, thats a display manager spawining script.

Instead why don't you simply comment out the relevant line inside the file /etc/xinetd.conf; where it invokes X?

Just open the file in vi and try to find line entry having 'X' in it, and put a '#' (a hash) at the begning of the same.

There is no such file

Code:

# find / -name xinetd.conf