From owner-freebsd-questions  Wed Apr  2 13:51:18 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA27560
          for questions-outgoing; Wed, 2 Apr 1997 13:51:18 -0800 (PST)
Received: from adam.adonai.net ([205.182.92.2])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA27549
          for <questions@freebsd.org>; Wed, 2 Apr 1997 13:51:09 -0800 (PST)
Received: from localhost (leec@localhost) by adam.adonai.net (8.8.5/8.7.3) with SMTP id PAA26694; Wed, 2 Apr 1997 15:52:02 -0600 (CST)
Date: Wed, 2 Apr 1997 15:52:02 -0600 (CST)
From: "Lee Crites (AEI)" <leec@adam.adonai.net>
To: Wes Peters - Softweyr LLC <softweyr@xmission.com>
cc: questions@freebsd.org
Subject: Re: Users with no shells
In-Reply-To: <199704022105.OAA24533@xmission.xmission.com>
Message-ID: <Pine.BSF.3.95.970402154120.26495A-100000@adam.adonai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 2 Apr 1997, Wes Peters - Softweyr LLC wrote:
=>One of the general rules of security is to tell the user who is
=>potentially abusing your system *absolutely nothing.*  This is why the
=>UNIX login process doesn't say "Invalid username, bonehead!" or "You
=>blew your password, you meathead!"  If you tell the attacker that this
=>account exists but isn't allowed to login, he may have gained
=>information useful to him.

Good point...

=>This allows a user who can ftp put but not login to put a .nologin.script
=>file that starts a shell, thus granting him a login.

I am sure there are holes in this.  You might have found one big one.

I just tried to ftp to the user I was testing the scripts with, and as
soon as I entered the user name, I got back: 
    530 User xxxxxx access denied.
    Login failed.
    Remote system type is UNIX.

Would a compiled program be more secure than scripts?  I'm sort of
leaning in that direction because you can't 'read' an executable like
you can a script.

=>logger(1).

Right there in front of my face all along.  I'd even printed this man
page out.  I've got lots of programming and installation experience, but
am still trying to get a firm handle on the whold s.a. gig...

=>You might want to read a bit about securing your system before running
=>off down this path.  I recommend Rik Farrow's book, as well as the
=>Simpson and Garfinkle book, as a minimum.  Securing your system is

How about the titles.  I've got several sysadmin type books and none of
them are by any of the above.

Lee