From owner-freebsd-stable  Thu Jul 16 05:56:17 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA05360
          for freebsd-stable-outgoing; Thu, 16 Jul 1998 05:56:17 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA05352
          for <freebsd-stable@FreeBSD.ORG>; Thu, 16 Jul 1998 05:56:13 -0700 (PDT)
          (envelope-from pajarola@cybertime.ch)
Received: from tyr.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03)
          id AA14362; Thu, 16 Jul 1998 14:55:52 +0200
Message-Id: <3.0.32.19980716145425.00726d20@www.dlc.cybertime.ch>
X-Sender: pajarola@www.dlc.cybertime.ch
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Thu, 16 Jul 1998 14:57:16 +0200
To: "FreeBSD stable" <freebsd-stable@FreeBSD.ORG>
From: Rico Pajarola <pajarola@cybertime.ch>
Subject: Re: Finger and getpwent
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I think something like this should go into /etc/login.conf. I already use
the nologin file (which can be set per login-class) to make ftp-only
accounts, and the ftpusers file to make email-only accounts. I like this
solution because it looks 'clean' to me, but it's by far not complete. And
the nicest login.conf doesn't help you if the programs you use don't look
at it (and afaik only login itself looks at it yet, guess why it's called
login.conf).

Rico

At 16:24 16.07.98 +1000, John Saunders wrote:
>>I've always been under the impression that shell and FTP checking
>>/etc/shells and mail services *not* doing so was a deliberate
>>design decision, not an oversight.
>
>Until something better is implemented there are good reasons
>for both sides. I have modified pppd, ftpd and qpopper to check
>for a valid shell. However if a valid shell is not found I made
>pppd check for "PPP", ftpd check for "FTP", and qpopper check
>for "POP" in the shell field using strstr(). So I can configure
>an account with a shell of "POP,FTP" to enable both those services
>but not shell logins.
>
>While this suits my system it's not entirely flexible, I can't
>provide shell access but not FTP access for example. What is
>needed is an addition system where the user has a list of service
>type attributes associated with them. Then each service would
>check the attributes to see if the user is allowed to access the
>service. e.g. a config file like...
>
>fred:shell ppp telnet
>joe:ppp pop
>mary:telnet pop ftp
>*:shell ppp
>
>Then a library call like checkaccess(char *user, char *service)
>
>I believe the early shadow password suite used on Linux started
>to have something similar but it didn't look completed when I
>last looked at it. I think PAM has superceeded shadow now anyway.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message