From owner-freebsd-bugs Mon Jul 8 13: 0:46 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14A0037B401 for ; Mon, 8 Jul 2002 13:00:04 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBEB043E4A for ; Mon, 8 Jul 2002 13:00:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g68K02JU084741 for ; Mon, 8 Jul 2002 13:00:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g68K02Hl084740; Mon, 8 Jul 2002 13:00:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6B1A37B400 for ; Mon, 8 Jul 2002 12:56:55 -0700 (PDT) Received: from lost.little-black-kitty.net (i.am.a.little-black-kitty.net [212.111.57.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BDA943E31 for ; Mon, 8 Jul 2002 12:56:54 -0700 (PDT) (envelope-from rik@little-black-kitty.net) Received: by lost.little-black-kitty.net (Postfix, from userid 1000) id F30948B801; Mon, 8 Jul 2002 20:56:47 +0100 (BST) Message-Id: <20020708195647.F30948B801@lost.little-black-kitty.net> Date: Mon, 8 Jul 2002 20:56:47 +0100 (BST) From: Richard Rose To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/40355: /sbin/nologin is a shell script Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 40355 >Category: bin >Synopsis: /sbin/nologin is a shell script >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 08 13:00:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Richard Rose >Release: FreeBSD 4.6-RC i386 >Organization: N/A >Environment: System: FreeBSD lost.little-black-kitty.net 4.6-RC FreeBSD 4.6-RC #1: Wed May 29 00:39:40 BST 2002 rik@lost.little-black-kitty.net:/usr/obj/usr/src/sys/LOST i386 >Description: /sbin/nologin is a /bin/sh shell script, that could possibly be subverted by putting commands in /etc/suid_profile. >How-To-Repeat: N/A >Fix: Use nologinmsg instead. This is source I have written, under a 2 clause BSD licence. My intention is to contribute it to the FreeBSD project, as a replacement for /sbin/nologin. To install into the source tree, just unshar under src/sbin. The following is the shar archive of the source. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # nologinmsg/Makefile # nologinmsg/nologinmsg.c # nologinmsg/nologinmsg.8 # nologinmsg/pathnames.h # echo x - nologinmsg/Makefile sed 's/^X//' >nologinmsg/Makefile << 'END-of-nologinmsg/Makefile' X# $Id: Makefile,v 1.1.1.1 2002/07/08 19:20:52 rik Exp $ X XPROG= nologinmsg XMAN= nologinmsg.8 X X.include END-of-nologinmsg/Makefile echo x - nologinmsg/nologinmsg.c sed 's/^X//' >nologinmsg/nologinmsg.c << 'END-of-nologinmsg/nologinmsg.c' X/* X * nologinmsg.c - A slightly improved nologin that will return a configurable X * message, depending on how it is called. X * X * Copyright (c) 2002 X * Richard Rose. All rights reserved. X * X * Redistribution and use in source and binary forms, with or without X * modification, are permitted provided that the following conditions X * are met: X * 1. Redistributions of source code must retain the above copyright X * notice, this list of conditions and the following disclaimer. X * 2. Redistributions in binary form must reproduce the above copyright X * notice, this list of conditions and the following disclaimer in the X * documentation and/or other materials provided with the distribution. X * X * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR X * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES X * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN X * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, X * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED X * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR X * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF X * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING X * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS X * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. X * X * $Id: nologinmsg.c,v 1.1.1.1 2002/07/08 19:20:52 rik Exp $ X * X * rik X */ X X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X X#include "pathnames.h" X X#define NOLOGINMSG_NAME "nologinmsg" X#define NOLOGINMSG_MSG "This account is currently not available.\n" X X/* X * main - Program entry point. X * Check how we are called. If it is not the way we expect, then search X * the hard coded path for a file named with the name we are called with, X * or, if that fails, the name of the user we are being run as, and print X * that. After printing a message, quit. X */ Xint main (void) X{ X char messagePath[PATH_MAX]; X char msgbuf[1024]; /* Arbitrary constant */ X char *user, *device; X int fd, nbytes; X struct stat buf; X X user = getlogin(); X if (user == NULL) X user = "UNKNOWN"; X X device = ttyname(0); X if (device == NULL) X device = "UNKNOWN"; X X openlog( "nologinmsg", LOG_CONS, LOG_AUTH ); X syslog( LOG_WARNING, "%.35s on %.35s", user, device); X closelog(); X X if (strcmp( getprogname(), NOLOGINMSG_NAME ) == 0){ X /* X * Check for a user names message. If it exists and we can read it, X * then print that, otherwise print the standard message X */ X strncpy( messagePath, NOLOGINMSG_PATH, sizeof( messagePath ) ); X strncat( messagePath, getlogin(), X sizeof( messagePath ) - strlen( getlogin() ) ); X X if (stat( messagePath, &buf ) != 0) X goto printStandard; X X if ((buf.st_mode & S_IFREG) == 0) X goto printStandard; X X fd = open( messagePath, O_RDONLY ); X if (fd == -1) X goto printStandard; X X goto printFile; X } X X /* X * We have been invoked by a different name. Check for a specific message X * to print, and print it if we can, else print the standard message X */ X strncpy( messagePath, NOLOGINMSG_PATH, sizeof( messagePath ) ); X strncat( messagePath, getprogname(), X sizeof( messagePath ) - strlen( getprogname() ) ); X X if (stat( messagePath, &buf ) != 0){ X write( STDERR_FILENO, NOLOGINMSG_MSG, sizeof( NOLOGINMSG_MSG ) - 1 ); X exit( EX_UNAVAILABLE ); X } X X if ((buf.st_mode & S_IFREG) == 0) X goto printStandard; X X fd = open( messagePath, O_RDONLY ); X if (fd == -1) X goto printStandard; X XprintFile: X for (;;){ X nbytes = read( fd, msgbuf, sizeof( msgbuf ) ); X write( STDERR_FILENO, msgbuf, nbytes ); X if (nbytes < sizeof( msgbuf )) X exit( EX_UNAVAILABLE ); X } X XprintStandard: X write( STDERR_FILENO, NOLOGINMSG_MSG, sizeof( NOLOGINMSG_MSG ) - 1 ); X exit( EX_UNAVAILABLE ); X} X END-of-nologinmsg/nologinmsg.c echo x - nologinmsg/nologinmsg.8 sed 's/^X//' >nologinmsg/nologinmsg.8 << 'END-of-nologinmsg/nologinmsg.8' X.\" Copyright (c) 2002 X.\" Richard Rose. All Rights Reserved X.\" X.\" Redistribution and use in source and binary forms, with or without X.\" modification, are permitted provided that the following conditions X.\" are met: X.\" 1. Redistributions of source code must retain the above copyright X.\" notice, this list of conditions and the following disclaimer. X.\" 2. Redistributions in binary form must reproduce the above copyright X.\" notice, this list of conditions and the following disclaimer in the X.\" documentation and/or other materials provided with the distribution. X.\" X.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND X.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X.\" SUCH DAMAGE. X.Dd July 8, 2002 X.Dt NOLOGINMSG 8 X.Os X.Sh NAME X.Nm nologinmsg X.Nd politely refuse a login X.Sh SYNOPSIS X.Nm X.Sh DESCRIPTION X.Nm Nologinmsg Xdisplays a message that an account is not availavle and Xexits non-zero. XIt is intended as a replacement shell field for accounts that Xhave been disabled. XIt can also print per-user messages, or special messages, Xdepending on how it is called, or whether it can find a better Xmessage to print. X.Pp XTo create a per-user message, put the text of the message in X.Pa /etc/nologinmsgs/USER Xfile. Its contents will be printed if the user names USER logs Xin. X.Pp XTo create a message that can be used for a group of users, Xcreate a symbolic link to a new name for the binary, and use Xthat name. In the X.Pa /etc/nologinmsgs/ Xdirectory, place a text file of the same name, with the text Xyou want printed when a user with this shell name logs in. X.Pp XIf the program name is not nologinmsg, then that file name Xis checked, and printed if that exists. If it does not, then Xthe standard error is printed. XIf the program name is nologinmsg, and a user named file exists Xthen that file is printed if possible, if not, the standard Xerror message exists. XIn all other cases, the standard message is printed. X.Pp XTo disable all logins, Xinvestigage X.Xr nologin 5 . X.Sh SEE ALSO X.Xr login 1 X.Xr nologin 5 X.Xr nologin 8 X.Sh HISTORY XThe X.Nm Xcommand was written by Richard Rose and contributed to the FreeBSD Project XThis man page needs looking at and checking. END-of-nologinmsg/nologinmsg.8 echo x - nologinmsg/pathnames.h sed 's/^X//' >nologinmsg/pathnames.h << 'END-of-nologinmsg/pathnames.h' X/* X * For licence, see nologinmsg.c X * X * $Id: pathnames.h,v 1.1.1.1 2002/07/08 19:20:52 rik Exp $ X */ X X#define NOLOGINMSG_PATH "/etc/nologinmsgs/" END-of-nologinmsg/pathnames.h exit >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message