From owner-freebsd-security  Fri Jan 14 13:43:14 2000
Delivered-To: freebsd-security@freebsd.org
Received: from modemcable254.3-113-216.mtl.mc.videotron.net (modemcable254.3-113-216.mtl.mc.videotron.net [216.113.3.254])
	by hub.freebsd.org (Postfix) with ESMTP id 36F4414D5C
	for <freebsd-security@FreeBSD.ORG>; Fri, 14 Jan 2000 13:43:11 -0800 (PST)
	(envelope-from lpreid@modemcable254.3-113-216.mtl.mc.videotron.net)
Received: (from lpreid@localhost)
	by modemcable254.3-113-216.mtl.mc.videotron.net (8.9.3/8.9.3) id QAA60036;
	Fri, 14 Jan 2000 16:42:53 -0500 (EST)
	(envelope-from lpreid)
Date: Fri, 14 Jan 2000 16:23:01 -0500
From: Louis-Philippe Reid <lpreid@videotron.net>
To: Nicholas Brawn <ncb@zip.com.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Disallow remote login by regular user.
Message-ID: <20000114162301.B3133@modemcable254.3-113-216.mtl.mc.>
References: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
X-Mailer: Mutt 0.95.6i
In-Reply-To: <Pine.LNX.4.10.10001141203280.3124-100000@zipperii.zip.com.au>; from Nicholas Brawn on Fri, Jan 14, 2000 at 12:06:36PM +1100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jan 14, 2000 at 12:06:36PM +1100, Nicholas Brawn wrote:
> 
> Hi folks. I'm trying to ocnfigure my system so that I can disallow a
> particular user account from being able to login remotely, and forcing
> users to su to the account instead. How may I configure this?
> 
> PS. Users may be using anything from telnet to ssh to login to the system,
> so I need something that works across the board.
> 

This is a suggestion, in no way am I saying over here that this a secure
solution to the problem...i'm just throwing out an idea for discussion. 

How about setting up a script that would check what is the PPID of the 
current shell and check if this PPID is associated with an other shell.  
If PPID is an allowed shell (bash, sh, ...) then you know the user went 
thru su.  Then you put this script in /etc/profile (or whatever is appropriate 
for the user's shell) and the script would get the UID of the user running the 
script and would check if it need to apply the policy for this user.  
If user is in the list and if PPID is not a shell, kill the current shell...  

it could even be the user's shell (a simple wrapper doing the job of checking
PPID and then exec'ing the shell if check is ok) 

quick hack...but there could be security drawbacks i'm not thinking of.

Bye!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message