What to do about nologin(8)?

Lanny Baron lnb at FreeBSDsystems.COM
Tue Feb 24 16:10:58 PST 2004 

Hi,
What I have done in the past for preventing logins via telnet/ssh is to 
make a script called ftponly and put it in /usr/local/bin and in 
/etc/shells put a line as /usr/local/bin/ftponly

The little script for /usr/local/bin/ftponly is:

#!/bin/sh -p
echo 'This account is currently available only for FTP access.'
exit 1

Of course when you run adduser or pw useradd, you will choose 
/usr/local/bin/ftponly as their shell.

Regards,
Lanny

Tim Kientzle wrote:

> Colin Percival wrote:
> 
>> At 22:36 24/02/2004, David Schultz wrote:
>>
>>> (1) Fix login(1) so that it disables the -p option when the target
>>>     user's shell is not in /etc/shells (unless the invoking user
>>>     is root)
>>
>>
>>   Adding /sbin/nologin to /etc/shells is a standard way to create
>> ftp-only users.
> 
> 
> Putting /sbin/nologin as the user's shell in /etc/passwd is
> quite standard, yes, for exactly the reason you describe.
> 
> Adding it to /etc/shells is a very different matter, though.
> My understanding has always been that /etc/shells is intended to
> list the "standard" *interactive* user shells.  Special or
> restricted shells should not be listed there.
> 
> In particular, /sbin/nologin should certainly not be in /etc/shells.
> 
> chpass(1) has some comments on this.  getusershell(3) and
> shells(5) are admittedly pretty vague.  Perhaps some
> manpage-tuning is in order.
> 
>>> (2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH.
>>
>>
>>   Wearing my member-of-security-team hat, I have to say I'm rather
>> unhappy with this idea.  It's also been pointed out (by nectar) that
>> there are issues with NFS if files are owned by nobody or nogroup.
> 
> 
> Even though I tossed it out as an option, I'm uncomfortable
> with it as well just on the "unnecessary setgid" principle.
> 
> My preference at the moment is for nologin(8):
>   * to be statically linked so it cannot easily be trojaned
>   * to throw out the current environment and create a clean
>     environment from scratch before invoking system("logger...")
>     to perform any logging.
> 
> This would keep the size of nologin(8) down while keeping
> it pretty safe.
> 
> Tim Kientzle
> 
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Lanny Baron
Proud to be 100% FreeBSD
http://www.FreeBSDsystems.COM
Toll Free: 1.877.963.1900
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

More information about the freebsd-current mailing list