Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Apr 1997 14:05:45 -0700 (MST)
From:      Wes Peters - Softweyr LLC <softweyr@xmission.com>
To:        leec@adam.adonai.net (Lee Crites)
Cc:        questions@freebsd.org
Subject:   Re: Users with no shells
Message-ID:  <199704022105.OAA24533@xmission.xmission.com>
In-Reply-To: <Pine.BSF.3.95.970402002552.14749A-100000@adam.adonai.net> from "Lee Crites" at Apr 2, 97 00:43:09 am

next in thread | previous in thread | raw e-mail | index | archive | help
> I got several messages telling me about /sbin/nologin.  It was a kind of
> interesting script -- curt and to the point, but without expandibility. 
> However, this is more along the line of what I was thinking of... 
> 
> #!/bin/csh -f
> #
> # provide way to deny logins for this user
> #
>   set fname = ".nologin.message"
>   set sname = ".nologin.script"

One of the general rules of security is to tell the user who is
potentially abusing your system *absolutely nothing.*  This is why the
UNIX login process doesn't say "Invalid username, bonehead!" or "You
blew your password, you meathead!"  If you tell the attacker that this
account exists but isn't allowed to login, he may have gained
information useful to him.

> # see if there is a local .nologin script to run
>   if (-e ~/$sname) then
>     ~/$sname
>     exit 1
>     endif

This allows a user who can ftp put but not login to put a .nologin.script
file that starts a shell, thus granting him a login.

> I'm not sure if a c program would be better or not.  I suppose you could
> use syslog in a program, which might be better than mailing a message.  
> But then again, mailing me a message would make sure I saw it sooner.  I
> guess it's a tossup. (is there a way to do syslog from the shell?)

logger(1).

> Anyway, I said I was thinking of putting something together, and so I
> did.  (can you say quick-and-dirty-rough-draft-first-cut?)

You might want to read a bit about securing your system before running
off down this path.  I recommend Rik Farrow's book, as well as the
Simpson and Garfinkle book, as a minimum.  Securing your system is
far less obvious than you think, and you might as well benefit from
what others have learned.

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704022105.OAA24533>