Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Feb 1997 14:40:29 -0700 (MST)
From:      Softweyr LLC <softweyr@xmission.com>
To:        tom@sdf.com (Tom Samplonius)
Cc:        hackers@freebsd.org
Subject:   Re: 'nologin' program for disabling user accounts
Message-ID:  <199702102140.OAA05879@xmission.xmission.com>
In-Reply-To: <Pine.NEB.3.94.970209144949.29838A-100000@misery.sdf.com> from "Tom Samplonius" at Feb 9, 97 02:51:12 pm

next in thread | previous in thread | raw e-mail | index | archive | help
Tom Samplonious asked, with respect to my recently posted nologin
program:

>   Why?  It seems that all BSD4.4 systems already have a nologin.  See "man
> nologin"

Security and logging.  The BSD4.4 nologin program is a shell script,
which is rarely a good idea to use for a login shell due to the ability
of the user to INTR and get a shell, if he's fast enough.  Also, the
standard nologin.sh doesn't log the attempted access, which means the
system administrator doesn't know that somebody has been trying to use
the disabled account.

The original program I wrote years ago for SunOS and Ultrix, which had
*no* secure way of disabling user accounts.  This one may still have
a few holes, such as ftpd and tftpd.  Some ftp daemons refuse to allow
access if the user's shell is not listed in /etc/shells, another reason
to *not* list nologin in /etc/shells.  (See the nologin man page for
the original reason.)

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702102140.OAA05879>