From owner-freebsd-hackers Mon Feb 10 13:44:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA27250 for hackers-outgoing; Mon, 10 Feb 1997 13:44:46 -0800 (PST) Received: from xmission.xmission.com (xmission.xmission.com [198.60.22.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA27071 for ; Mon, 10 Feb 1997 13:41:14 -0800 (PST) Received: (from softweyr@localhost) by xmission.xmission.com (8.8.5/8.7.5) id OAA05879; Mon, 10 Feb 1997 14:40:30 -0700 (MST) From: Softweyr LLC Message-Id: <199702102140.OAA05879@xmission.xmission.com> Subject: Re: 'nologin' program for disabling user accounts To: tom@sdf.com (Tom Samplonius) Date: Mon, 10 Feb 1997 14:40:29 -0700 (MST) Cc: hackers@freebsd.org In-Reply-To: from "Tom Samplonius" at Feb 9, 97 02:51:12 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Tom Samplonious asked, with respect to my recently posted nologin program: > Why? It seems that all BSD4.4 systems already have a nologin. See "man > nologin" Security and logging. The BSD4.4 nologin program is a shell script, which is rarely a good idea to use for a login shell due to the ability of the user to INTR and get a shell, if he's fast enough. Also, the standard nologin.sh doesn't log the attempted access, which means the system administrator doesn't know that somebody has been trying to use the disabled account. The original program I wrote years ago for SunOS and Ultrix, which had *no* secure way of disabling user accounts. This one may still have a few holes, such as ftpd and tftpd. Some ftp daemons refuse to allow access if the user's shell is not listed in /etc/shells, another reason to *not* list nologin in /etc/shells. (See the nologin man page for the original reason.) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com