Ok, some programs that seem to be a problem:
chmod 700 /bin/login
- only daemons running as root should execute login
anyway, and doing it other ways should be discouraged.
Remember, this is the bastion host, not an ordinary
host giving user privs.
chmod 700 /bin/su
- put "console" in /etc/securettys and force any root
activity to be done from console. Inconvienient for
you and inconvienient for someone who might discover
the root password.
chmod 700 /bin/passwd
- Well, firstly, use of skey or some other authentication
scheme ir probably better in place here, as this is the
host typically used by "in the field" people, logging
back into work, for whatever reason. In other cases,
well, how many would agree that "A well chosen password
is bettern than having to change it regularly" ? Until
you can crack crypt in an economical way. Also means
people have to come and see you to change passwords..in
a small operation, this would be not so bad and maybe
positive and get your users to care more (hope!).
Someone mentioned auditing users being a problem with them typing "login"
again to relogin. An interesting feature of Pyramid's OSx 5.1 (not sure
about their other products) is the concept of an "auth id", which no
matter how many times you su, use setruid(), seteuid(), setuid(), can
only be set once (through the traditional system call interface - not
counting writing /dev/kmem but with this as an immutable file under 4.4,
it could be interesting :). However, from what I can tell, this isn't
used in process accounting logs anywhere. Do any of the other Unix
variants support a similar feature in the kernel ? (Perhaps it is
something a few more of them could add - even as a standard part!)