Date: Thu, 16 Jul 1998 16:24:53 +1000 From: "John Saunders" <john.saunders@scitec.com.au> To: "FreeBSD stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: Finger and getpwent Message-ID: <08c601bdb082$71b81b50$6cb611cb@saruman.scitec.com.au>
next in thread | raw e-mail | index | archive | help
>I've always been under the impression that shell and FTP checking >/etc/shells and mail services *not* doing so was a deliberate >design decision, not an oversight. Until something better is implemented there are good reasons for both sides. I have modified pppd, ftpd and qpopper to check for a valid shell. However if a valid shell is not found I made pppd check for "PPP", ftpd check for "FTP", and qpopper check for "POP" in the shell field using strstr(). So I can configure an account with a shell of "POP,FTP" to enable both those services but not shell logins. While this suits my system it's not entirely flexible, I can't provide shell access but not FTP access for example. What is needed is an addition system where the user has a list of service type attributes associated with them. Then each service would check the attributes to see if the user is allowed to access the service. e.g. a config file like... fred:shell ppp telnet joe:ppp pop mary:telnet pop ftp *:shell ppp Then a library call like checkaccess(char *user, char *service) I believe the early shadow password suite used on Linux started to have something similar but it didn't look completed when I last looked at it. I think PAM has superceeded shadow now anyway. Cheers. -- . +-------------------------------------------------------+ ,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au | / Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 | \_,--\_/ | "By the time you make ends meet, they move the ends." | v +-------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08c601bdb082$71b81b50$6cb611cb>