[2242] in linux-security and linux-alert archive
[linux-security] adding nologin shells to /etc/shells
daemon@ATHENA.MIT.EDU (Tony Nugent)
Thu Oct 28 18:14:47 1999
Message-Id: <199910281329.XAA14770@tony.growzone.com.au>
To: Linux Security Mailing List <linux-security@redhat.com>
Date: Thu, 28 Oct 1999 23:29:39 +1000
From: Tony Nugent <tony@growzone.com.au>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
I need to set up some (err, a lot) of user accounts for (pop) mail and
ftp access purposes. But disallow shell login access.
What I can do to achieve this - and it works well - is to create a
small script, thus:
#!/usr/bin/tail +6
#
# /etc/NOSHELL
#
# Login shell to prevent shell access for user accounts
#
#########################################################################
# #
# Sorry, you do not have login access. #
# If you need any special requirements, please contact GrowZone OnLine #
# #
#########################################################################
... then add /etc/NOSHELL to the login shell field of /etc/passwd
Attempts to login as one of these users works as expected... display
of the last few lines, then logs the user back out again. Sweet.
For ftp access to work, an entry for /etc/NOSHELL needs to be added
to /etc/shells - once done, also sweet.
However, I came across this comment in the sendmail FAQ where it talks
about allowing users to forward their mail to a program...
http://www.sendmail.org/faq/section3.html#3.11
It states:
NOTA BENE: DO NOT list /usr/local/etc/nologin in /etc/shells
-- this will open up other security problems.
Does adding a "noshell" to /etc/shells really open up security holes?
If so, what are they?
Are there any alternatives to this?
Aside:
One alternative we are currently using on many of our boxes here is
to actually disable telnet in /etc/inetd.conf, and then run
sshd/ssh2d as a daemon heavily wrapped in /etc/hosts.{allow,deny}
But this approach still begs the question about allowing ftp access
and, according to the sendmail FAQ, the security holes this is
supposed to create.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <Tony@growzone.com.au> Systems Administrator
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
