Date: Mon, 10 Feb 1997 14:40:29 -0700 (MST) From: Softweyr LLC <softweyr@xmission.com> To: tom@sdf.com (Tom Samplonius) Cc: hackers@freebsd.org Subject: Re: 'nologin' program for disabling user accounts Message-ID: <199702102140.OAA05879@xmission.xmission.com> In-Reply-To: <Pine.NEB.3.94.970209144949.29838A-100000@misery.sdf.com> from "Tom Samplonius" at Feb 9, 97 02:51:12 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Samplonious asked, with respect to my recently posted nologin program: > Why? It seems that all BSD4.4 systems already have a nologin. See "man > nologin" Security and logging. The BSD4.4 nologin program is a shell script, which is rarely a good idea to use for a login shell due to the ability of the user to INTR and get a shell, if he's fast enough. Also, the standard nologin.sh doesn't log the attempted access, which means the system administrator doesn't know that somebody has been trying to use the disabled account. The original program I wrote years ago for SunOS and Ultrix, which had *no* secure way of disabling user accounts. This one may still have a few holes, such as ftpd and tftpd. Some ftp daemons refuse to allow access if the user's shell is not listed in /etc/shells, another reason to *not* list nologin in /etc/shells. (See the nologin man page for the original reason.) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702102140.OAA05879>