From owner-freebsd-security Sat Jan 15 14:29:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id A673414E82 for ; Sat, 15 Jan 2000 14:29:38 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id RAA53004; Sat, 15 Jan 2000 17:33:50 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <200001152233.RAA53004@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Disallow remote login by regular user. In-Reply-To: <20000114034446.6B2CA5D01E@mail.wzrd.com> from Dan Harnett at "Jan 13, 2000 10:44:46 pm" To: danh@wzrd.com (Dan Harnett) Date: Sat, 15 Jan 2000 17:33:50 -0500 (EST) Cc: ncb@zip.com.au (Nicholas Brawn), freebsd-security@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Harnett wrote, > Hello, > > You could also set this particular user's shell to /sbin/nologin and make the > others use the -m option to su. But if you do this, remember, -m Leave the environment unmodified. The invoked shell is your lo- gin shell, and no directory changes are made. As a security pre- caution, if the target user's shell is a non-standard shell (as defined by getusershell(3)) and the caller's real uid is non-ze- ro, su will fail. You have to add '/sbin/nologin' to /etc/shells. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message