From owner-freebsd-questions Wed Apr 2 13:06:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA24129 for questions-outgoing; Wed, 2 Apr 1997 13:06:07 -0800 (PST) Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA24124 for ; Wed, 2 Apr 1997 13:06:02 -0800 (PST) Received: (from softweyr@localhost) by xmission.xmission.com (8.8.5/8.7.5) id OAA24533; Wed, 2 Apr 1997 14:05:46 -0700 (MST) From: Wes Peters - Softweyr LLC Message-Id: <199704022105.OAA24533@xmission.xmission.com> Subject: Re: Users with no shells To: leec@adam.adonai.net (Lee Crites) Date: Wed, 2 Apr 1997 14:05:45 -0700 (MST) Cc: questions@freebsd.org In-Reply-To: from "Lee Crites" at Apr 2, 97 00:43:09 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I got several messages telling me about /sbin/nologin. It was a kind of > interesting script -- curt and to the point, but without expandibility. > However, this is more along the line of what I was thinking of... > > #!/bin/csh -f > # > # provide way to deny logins for this user > # > set fname = ".nologin.message" > set sname = ".nologin.script" One of the general rules of security is to tell the user who is potentially abusing your system *absolutely nothing.* This is why the UNIX login process doesn't say "Invalid username, bonehead!" or "You blew your password, you meathead!" If you tell the attacker that this account exists but isn't allowed to login, he may have gained information useful to him. > # see if there is a local .nologin script to run > if (-e ~/$sname) then > ~/$sname > exit 1 > endif This allows a user who can ftp put but not login to put a .nologin.script file that starts a shell, thus granting him a login. > I'm not sure if a c program would be better or not. I suppose you could > use syslog in a program, which might be better than mailing a message. > But then again, mailing me a message would make sure I saw it sooner. I > guess it's a tossup. (is there a way to do syslog from the shell?) logger(1). > Anyway, I said I was thinking of putting something together, and so I > did. (can you say quick-and-dirty-rough-draft-first-cut?) You might want to read a bit about securing your system before running off down this path. I recommend Rik Farrow's book, as well as the Simpson and Garfinkle book, as a minimum. Securing your system is far less obvious than you think, and you might as well benefit from what others have learned. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com