Date: Sun, 9 Feb 1997 23:46:11 -0700 (MST) From: Wes Peters <softweyr@xmission.com> To: hackers@freebsd.org Subject: 'nologin' program for disabling user accounts Message-ID: <199702100646.XAA06827@obie.softweyr.ml.org>
next in thread | raw e-mail | index | archive | help
A few days ago a user on the -questions mailing list was asking for a
secure way to disable a user account. I once wrote a simple program to
do this years ago as a part of Security Toolkit, so I stirred the old
grey matter a little bit and put this together for him. Since others
may want to do this as well, I'm sending it to the hackers forum for
nitpicking and consideration to be included in the next release(s).
The purpose of the program is to provide a login shell that simply logs
the attempted access and exits, leaving the user with no system access.
This program is provided under a bsd-like copyright. Please feel free
to use as you wish, as long as the copyright is obeyed.
~~~~~~~~~~ nologin.c ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* nologin.c - a login shell for disabling users.
*
* Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
*
* This product includes software developed by Softweyr LLC
*
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* This software is provided by Softweyr LLC ``as is'' and any express or
* implied warranties, including, but not limited to, the implied warranties
* of merchantability and fitness for a particular purpose are disclaimed.
* In no event shall Softweyr LLC or any contributors be liable for any
* direct, indirect, incidental, special, exemplary, or consequential
* damages (including, but not limited to, procurement of substitute goods
* or services; loss of use, data, or profits; or business interruption)
* however caused and on any theory of liability, whether in contract,
* strict liability, or tort (including negligence or otherwise) arising in
* any way out of the use of this software, even if advised of the
* possibility of such damage.
*
* Author: Wes Peters
* Date: Tue Jan 28 21:30:06 MST 1997
*/
#include <sys/types.h>
#include <unistd.h>
#include <syslog.h>
int
main(int argc,
char *argv[])
{
char *user, *device;
if ((user = getlogin()) == NULL)
user = "UNKNOWN";
if ((device = ttyname(0)) == NULL)
device = "UNKNOWN";
openlog("nologin", LOG_CONS, LOG_AUTH);
syslog(LOG_CRIT, "%s on %s", user, device);
closelog();
return 0;
}
~~~~~~~~~~ nologin.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" nologin.1 - a login shell for disabling users.
.\"
.\" Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\"
.\" This product includes software developed by Softweyr LLC
.\"
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" This software is provided by Softweyr LLC ``as is'' and any express or
.\" implied warranties, including, but not limited to, the implied warranties
.\" of merchantability and fitness for a particular purpose are disclaimed.
.\" In no event shall Softweyr LLC or any contributors be liable for any
.\" direct, indirect, incidental, special, exemplary, or consequential
.\" damages (including, but not limited to, procurement of substitute goods
.\" or services; loss of use, data, or profits; or business interruption)
.\" however caused and on any theory of liability, whether in contract,
.\" strict liability, or tort (including negligence or otherwise) arising in
.\" any way out of the use of this software, even if advised of the
.\" possibility of such damage.
.\"
.\" Author: Wes Peters
.\" Date: Tue Jan 28 21:30:06 MST 1997
.Dd January 28, 1997
.Dt nologin 1
.Os BSD 4
.Sh NAME
.Nm nologin
.Nd a login shell for disabled users
.Sh SYNOPSIS
.Nm nologin
.Sh DESCRIPTION
.Nm nologin
is a login shell for user accounts that have been disabled. It logs
the attempted login via the
syslog 3
mechanism, with an
.Ar ident
of "nologin"
and a
.Ar facility
of
.Dv LOG_AUTH .
Log entries will appear in the system log as:
.Dl Jan 28 21:36:54 hostname nologin: user on /dev/ttypX
.Pp
Please note that you should
.Em not
add the
.Nm nologin
program to the
.Pa /etc/shells
file, as you do not want users to accidentally set their shell to
.Nm nologin.
.Sh AUTHOR
Wes Peters, Softweyr LLC: softweyr@xmission.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If somebody decides to incorporate this into a FreeBSD release, I'd
like an email to confirm this (just for posterity). If, on the other
hand, somebody comes up with a glaring hole in this, I'd certainly
like to hear about it. I've never encountered any really bloody hangs
in syslog or anything like that, but am perfectly willing to believe
they could happen.
I believe the original started off by closing stdin, stdout, and
stderr, but I don't remember the reasoning why.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.xmission.com/~softweyr softweyr@xmission.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702100646.XAA06827>