From owner-freebsd-stable Wed Jul 15 23:25:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA21867 for freebsd-stable-outgoing; Wed, 15 Jul 1998 23:25:13 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from firewall.scitec.com.au (firewall-user@fgate.scitec.com.au [203.17.180.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA21862 for ; Wed, 15 Jul 1998 23:25:09 -0700 (PDT) (envelope-from john.saunders@scitec.com.au) Received: by firewall.scitec.com.au; id QAA05792; Thu, 16 Jul 1998 16:24:56 +1000 (EST) Received: from mailhub.scitec.com.au(203.17.180.131) by fgate.scitec.com.au via smap (3.2) id xma005783; Thu, 16 Jul 98 16:24:54 +1000 Received: from saruman (saruman.scitec.com.au [203.17.182.108]) by mailhub.scitec.com.au (8.6.12/8.6.9) with SMTP id QAA15333 for ; Thu, 16 Jul 1998 16:24:53 +1000 Message-ID: <08c601bdb082$71b81b50$6cb611cb@saruman.scitec.com.au> From: "John Saunders" To: "FreeBSD stable" Subject: Re: Finger and getpwent Date: Thu, 16 Jul 1998 16:24:53 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-Mimeole: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >I've always been under the impression that shell and FTP checking >/etc/shells and mail services *not* doing so was a deliberate >design decision, not an oversight. Until something better is implemented there are good reasons for both sides. I have modified pppd, ftpd and qpopper to check for a valid shell. However if a valid shell is not found I made pppd check for "PPP", ftpd check for "FTP", and qpopper check for "POP" in the shell field using strstr(). So I can configure an account with a shell of "POP,FTP" to enable both those services but not shell logins. While this suits my system it's not entirely flexible, I can't provide shell access but not FTP access for example. What is needed is an addition system where the user has a list of service type attributes associated with them. Then each service would check the attributes to see if the user is allowed to access the service. e.g. a config file like... fred:shell ppp telnet joe:ppp pop mary:telnet pop ftp *:shell ppp Then a library call like checkaccess(char *user, char *service) I believe the early shadow password suite used on Linux started to have something similar but it didn't look completed when I last looked at it. I think PAM has superceeded shadow now anyway. Cheers. -- . +-------------------------------------------------------+ ,--_|\ | John Saunders mailto:John.Saunders@scitec.com.au | / Oz \ | SCITEC LIMITED Phone +61294289563 Fax +61294289933 | \_,--\_/ | "By the time you make ends meet, they move the ends." | v +-------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message