From owner-freebsd-stable Thu Jul 16 05:56:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA05360 for freebsd-stable-outgoing; Thu, 16 Jul 1998 05:56:17 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA05352 for ; Thu, 16 Jul 1998 05:56:13 -0700 (PDT) (envelope-from pajarola@cybertime.ch) Received: from tyr.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03) id AA14362; Thu, 16 Jul 1998 14:55:52 +0200 Message-Id: <3.0.32.19980716145425.00726d20@www.dlc.cybertime.ch> X-Sender: pajarola@www.dlc.cybertime.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 16 Jul 1998 14:57:16 +0200 To: "FreeBSD stable" From: Rico Pajarola Subject: Re: Finger and getpwent Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I think something like this should go into /etc/login.conf. I already use the nologin file (which can be set per login-class) to make ftp-only accounts, and the ftpusers file to make email-only accounts. I like this solution because it looks 'clean' to me, but it's by far not complete. And the nicest login.conf doesn't help you if the programs you use don't look at it (and afaik only login itself looks at it yet, guess why it's called login.conf). Rico At 16:24 16.07.98 +1000, John Saunders wrote: >>I've always been under the impression that shell and FTP checking >>/etc/shells and mail services *not* doing so was a deliberate >>design decision, not an oversight. > >Until something better is implemented there are good reasons >for both sides. I have modified pppd, ftpd and qpopper to check >for a valid shell. However if a valid shell is not found I made >pppd check for "PPP", ftpd check for "FTP", and qpopper check >for "POP" in the shell field using strstr(). So I can configure >an account with a shell of "POP,FTP" to enable both those services >but not shell logins. > >While this suits my system it's not entirely flexible, I can't >provide shell access but not FTP access for example. What is >needed is an addition system where the user has a list of service >type attributes associated with them. Then each service would >check the attributes to see if the user is allowed to access the >service. e.g. a config file like... > >fred:shell ppp telnet >joe:ppp pop >mary:telnet pop ftp >*:shell ppp > >Then a library call like checkaccess(char *user, char *service) > >I believe the early shadow password suite used on Linux started >to have something similar but it didn't look completed when I >last looked at it. I think PAM has superceeded shadow now anyway. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message