From owner-freebsd-security Wed Feb 28 23:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 7ABA137B71A for ; Wed, 28 Feb 2001 23:18:45 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id IAA38847; Thu, 1 Mar 2001 08:18:31 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9DF7C7.FF9361C2@eboa.com> Date: Thu, 01 Mar 2001 08:18:31 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Matt Piechota Cc: Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Piechota wrote: > > On Tue, 27 Feb 2001, Rob Simmons wrote: > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells > > I though the idea of nologin was to deny access. Wouldn't you want to > copy nologin to /sbin/ftponly (or something) and put that in /etc/shells? > That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only > (/sbin/ftponly), and no access (/sbin/nologin). Well, there is nologin and then there is nologin. nisse:/usr/local/www# apropos nologin login_auth(3), -(3) - auth_checknologin, auth_cat authentication style support l ibrary for login class capabilities database nologin(5) - disallow logins nologin(8) - politely refuse a login so we got nologin(5): DESCRIPTION Nologin disallows logins if the file /var/run/nologin exists. Programs display the contents of /var/run/nologin to the user and exit. and we got nologin(8): DESCRIPTION Nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled. Besides that we, of course, also got login(1): If the file /var/run/nologin exists, login displays its contents to the user and exits. This is used by shutdown(8) to prevent users from log- ging in when the system is about to go down. as well as ftpd(8): The file /var/run/nologin can be used to disable ftp access. If the file exists, ftpd displays it and exits. If the file /etc/ftpwelcome exists, ftpd prints it before issuing the ``ready'' message. If the file /etc/ftpmotd exists, ftpd prints it after a successful login. Note the motd file used is the one relative to the login environment. This means the one in ~ftp/etc in the anonymous user's case. So in general you are right. The goal of nologin is to define nologin. However, that havind been said, there is a slight difference between getting ones cake/login and eating (or not getting as the case might be) one cake/login. In itself there is much to be said for having a nologin binary which disallows logins, yet also having a ftpd which disallows logins provided the users shells is not a valid one as per /etc/shells. Thus one can have ones cake - i.e. disallowing shell access - whilest eating it too - i.e. allowing ftp access. In your stated case, providing - say - bash as shell allows both shell and ftp access; providing nologin+shell allows ftp access and, last but not least, providing just nologin allows nada. In the latter case providing /nada/niente serves the same purpose whilest keeping the previous door opened. Anyway, that's the theory as I understand it. The practice however... ;) Roelof -- It's a dogs life @ http://cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message