From owner-freebsd-security  Sun Jan 16 10: 0:51 2000
Delivered-To: freebsd-security@freebsd.org
Received: from intranova.net (blacklisted.intranova.net [209.3.31.70])
	by hub.freebsd.org (Postfix) with SMTP id 77E7414ED2
	for <freebsd-security@FreeBSD.ORG>; Sun, 16 Jan 2000 10:00:48 -0800 (PST)
	(envelope-from oogali@intranova.net)
Received: (qmail 21297 invoked from network); 16 Jan 2000 13:02:53 -0000
Received: from hydrant.intranova.net (user69151@209.201.95.10)
  by blacklisted.intranova.net with SMTP; 16 Jan 2000 13:02:53 -0000
Date: Sun, 16 Jan 2000 12:58:05 -0500 (EST)
From: Omachonu Ogali <oogali@intranova.net>
To: Jonathan Fortin <jonf@revelex.com>
Cc: cjclark@home.com, Dan Harnett <danh@wzrd.com>,
	Nicholas Brawn <ncb@zip.com.au>, freebsd-security@FreeBSD.ORG
Subject: Re: Disallow remote login by regular user.
In-Reply-To: <Pine.BSO.4.21.0001151751410.2416-100000@revelex.com>
Message-ID: <Pine.BSF.4.10.10001161256500.78224-100000@hydrant.intranova.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you add it to /etc/shells then it allows an user to login via FTP since
the FTP daemon checks to see if the users shell returned by
getpwnam()/getpwuid() exists in /etc/shells, if it does then it allows a
successful connection/login, and this is what he wants to prevent.

Omachonu Ogali
Intranova Networking Group

On Sat, 15 Jan 2000, Jonathan Fortin wrote:

> 
> Hello,
> 
> You could also set the users shell to /bin/false and add it in /etc/shells
> and use the -m option.
> 
> 
> jonf@revelex.com
> 
> On Sat, 15 Jan 2000, Crist J. Clark wrote:
> 
> > Dan Harnett wrote,
> > > Hello,
> > > 
> > > You could also set this particular user's shell to /sbin/nologin and make the
> > > others use the -m option to su.
> > 
> > But if you do this, remember,
> > 
> >      -m      Leave the environment unmodified.  The invoked shell is your lo-
> >              gin shell, and no directory changes are made.  As a security pre-
> >              caution, if the target user's shell is a non-standard shell (as
> >              defined by getusershell(3))  and the caller's real uid is non-ze-
> >              ro, su will fail.
> > 
> > You have to add '/sbin/nologin' to /etc/shells.
> > -- 
> > Crist J. Clark                           cjclark@home.com
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message