From owner-freebsd-security  Sun Jan 16 18:48:10 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 8960314EF7
	for <freebsd-security@FreeBSD.ORG>; Sun, 16 Jan 2000 18:48:07 -0800 (PST)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA60331;
	Sun, 16 Jan 2000 21:48:40 -0500 (EST)
	(envelope-from cjc)
Date: Sun, 16 Jan 2000 21:48:39 -0500
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Omachonu Ogali <oogali@intranova.net>
Cc: Jonathan Fortin <jonf@revelex.com>, cjclark@home.com,
	Dan Harnett <danh@wzrd.com>, Nicholas Brawn <ncb@zip.com.au>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Disallow remote login by regular user.
Message-ID: <20000116214839.A60295@cc942873-a.ewndsr1.nj.home.com>
References: <Pine.BSO.4.21.0001151751410.2416-100000@revelex.com> <Pine.BSF.4.10.10001161256500.78224-100000@hydrant.intranova.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.10001161256500.78224-100000@hydrant.intranova.net>; from oogali@intranova.net on Sun, Jan 16, 2000 at 12:58:05PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Jan 16, 2000 at 12:58:05PM -0500, Omachonu Ogali wrote:
> If you add it to /etc/shells then it allows an user to login via FTP since
> the FTP daemon checks to see if the users shell returned by
> getpwnam()/getpwuid() exists in /etc/shells, if it does then it allows a
> successful connection/login, and this is what he wants to prevent.

Yep. You then need to add the user to /etc/ftpusers (if ftp is enabled
at all). But whatever shell you give the account, it does need to be
in /etc/shells for non-root users to su to it, which is how the
original poster wanted people to gain access.

> On Sat, 15 Jan 2000, Jonathan Fortin wrote:
> 
> > 
> > Hello,
> > 
> > You could also set the users shell to /bin/false and add it in /etc/shells
> > and use the -m option.
> > 
> > 
> > jonf@revelex.com
> > 
> > On Sat, 15 Jan 2000, Crist J. Clark wrote:
> > 
> > > Dan Harnett wrote,
> > > > Hello,
> > > > 
> > > > You could also set this particular user's shell to /sbin/nologin and make the
> > > > others use the -m option to su.
> > > 
> > > But if you do this, remember,
> > > 
> > >      -m      Leave the environment unmodified.  The invoked shell is your lo-
> > >              gin shell, and no directory changes are made.  As a security pre-
> > >              caution, if the target user's shell is a non-standard shell (as
> > >              defined by getusershell(3))  and the caller's real uid is non-ze-
> > >              ro, su will fail.
> > > 
> > > You have to add '/sbin/nologin' to /etc/shells.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message