From owner-freebsd-questions Tue Apr 1 22:41:52 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA10364 for questions-outgoing; Tue, 1 Apr 1997 22:41:52 -0800 (PST) Received: from adam.adonai.net ([205.182.92.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA10358 for ; Tue, 1 Apr 1997 22:41:46 -0800 (PST) Received: from localhost (leec@localhost) by adam.adonai.net (8.8.5/8.7.3) with SMTP id AAA14925 for ; Wed, 2 Apr 1997 00:43:09 -0600 (CST) Date: Wed, 2 Apr 1997 00:43:09 -0600 (CST) From: "Lee Crites (AEI)" To: questions@FreeBSD.ORG Subject: Re: Users with no shells Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I got several messages telling me about /sbin/nologin. It was a kind of interesting script -- curt and to the point, but without expandibility. However, this is more along the line of what I was thinking of... /sbin/CMnologin: #!/bin/csh -f # # provide way to deny logins for this user # set fname = ".nologin.message" set sname = ".nologin.script" # see if there is a local .nologin script to run if (-e ~/$sname) then ~/$sname exit 1 endif # see if there is a local .nologin file if (-e ~/$fname) then cat ~/$fname exit 1 endif # see if there is a global .nologin file if (-e $0$fname) then cat $0$fname exit 1 endif # there is no message given, use a default one echo "This account has been disabled. Please" echo "contact sysadmin@`hostname` for further" echo "information." exit 1 # done /sbin/CMnologin.nologin.message: You have selected a user name which is not valid, or has been disabled. If you have any questions concerning this situation, please contact sysadmin@adonai.net, or call the customer support hotline, at 512-246-9772. We are sorry for any inconvenience this might have caused you. /usr/home/disabled/.nologin.message: This login is not valid, and the user knows it. This security violation has been noted. /usr/home/disables/.nologin.script: #!/bin/csh -f # # this will try to get some information on the login attempt # and mail it to me... # # build a message for me echo "login attempt on disabled account" > $0.out echo " -- time:"`date` >> $0.out echo " -- whoami:"`whoami` >> $0.out echo " -- who am i:"`who am i` >> $0.out # mail it to me cat $0.out | mail -s "security violation" sysadmin@adonai.net rm $0.out # tell them echo "This account is not a valid login account. Possible" echo "security violation has been logged." exit 1 # done Of course, if you followed the CMnologin script, you would see that the .nologin.message file for the user would never be seen. I just added it for completeness. I'm not sure if a c program would be better or not. I suppose you could use syslog in a program, which might be better than mailing a message. But then again, mailing me a message would make sure I saw it sooner. I guess it's a tossup. (is there a way to do syslog from the shell?) Anyway, I said I was thinking of putting something together, and so I did. (can you say quick-and-dirty-rough-draft-first-cut?) Lee