Date: Wed, 2 Apr 1997 00:43:09 -0600 (CST) From: "Lee Crites (AEI)" <leec@adam.adonai.net> To: questions@FreeBSD.ORG Subject: Re: Users with no shells Message-ID: <Pine.BSF.3.95.970402002552.14749A-100000@adam.adonai.net>
next in thread | raw e-mail | index | archive | help
I got several messages telling me about /sbin/nologin. It was a kind of
interesting script -- curt and to the point, but without expandibility.
However, this is more along the line of what I was thinking of...
/sbin/CMnologin:
#!/bin/csh -f
#
# provide way to deny logins for this user
#
set fname = ".nologin.message"
set sname = ".nologin.script"
# see if there is a local .nologin script to run
if (-e ~/$sname) then
~/$sname
exit 1
endif
# see if there is a local .nologin file
if (-e ~/$fname) then
cat ~/$fname
exit 1
endif
# see if there is a global .nologin file
if (-e $0$fname) then
cat $0$fname
exit 1
endif
# there is no message given, use a default one
echo "This account has been disabled. Please"
echo "contact sysadmin@`hostname` for further"
echo "information."
exit 1
# done
/sbin/CMnologin.nologin.message:
You have selected a user name which is not valid, or has
been disabled. If you have any questions concerning this
situation, please contact sysadmin@adonai.net, or call the
customer support hotline, at 512-246-9772.
We are sorry for any inconvenience this might have caused
you.
/usr/home/disabled/.nologin.message:
This login is not valid, and the user knows it. This
security violation has been noted.
/usr/home/disables/.nologin.script:
#!/bin/csh -f
#
# this will try to get some information on the login attempt
# and mail it to me...
#
# build a message for me
echo "login attempt on disabled account" > $0.out
echo " -- time:"`date` >> $0.out
echo " -- whoami:"`whoami` >> $0.out
echo " -- who am i:"`who am i` >> $0.out
# mail it to me
cat $0.out | mail -s "security violation" sysadmin@adonai.net
rm $0.out
# tell them
echo "This account is not a valid login account. Possible"
echo "security violation has been logged."
exit 1
# done
Of course, if you followed the CMnologin script, you would see that the
.nologin.message file for the user would never be seen. I just added it
for completeness.
I'm not sure if a c program would be better or not. I suppose you could
use syslog in a program, which might be better than mailing a message.
But then again, mailing me a message would make sure I saw it sooner. I
guess it's a tossup. (is there a way to do syslog from the shell?)
Anyway, I said I was thinking of putting something together, and so I
did. (can you say quick-and-dirty-rough-draft-first-cut?)
Lee
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970402002552.14749A-100000>