[836] in linux-security and linux-alert archive
Re: [linux-security] wu.ftp, ftpaccess, and /bin/false shell
daemon@ATHENA.MIT.EDU (Matt Stainforth)
Fri Jun 21 12:16:00 1996
Date: Thu, 20 Jun 1996 08:41:07 -0300 (ADT)
From: Matt Stainforth <mbs@mctnmail.nbnet.nb.ca>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960620082226.12815D-100000@mctnmail.nbnet.nb.ca>
On Mon, 17 Jun 1996, Yury Shevchuk wrote:
> IMHO, this is an overlook in wu-ftpd: the daemon denies access to
> users whose shells are not listed in /etc/shells. Adding /etc/ftponly
> (or /bin/false) to /etc/shells is not the right way to go, though,
> since doing so would be against the definition of /etc/shells: that
> file should list only true unrestricted command interpreters (note:
> /usr/bin/chsh).
>
I believe that rather than an oversight in wu-ftpd, it is a built-in
feature. Many administrators use a non-standard shell in order to lock
accounts. Something like this is what I use:
#!/usr/bin/perl
# This is the shell used for locked accounts
# -Matt Stainforth
print "Sorry, this account is locked.\n\n";
if ( -r "$ENV{'HOME'}/.lockreason" ){
open (LKR, "$ENV{'HOME'}/.lockreason");
while (<LKR>){
print;
}
close (LKR);
chop ($sleep = `wc -w $ENV{'HOME'}/.lockreason`);
$sleep = $1 if $sleep =~ /^\s*(d+)/;
$sleep = 10 if $sleep < 10;
}
else{
$sleep=5
}
print "Contact the Computing Services UNIX administrator for more information.\n";
sleep $sleep;
exit 1;
This shell is not listed in /etc/shells and so if it is made a user's
default shell, the account is truly locked. No telnet and no FTP access.
Matt...
______________________________________________________________________________
Matthew Stainforth
Information Systems Analyst require "disclaim.pl";
NBCC - Moncton Campus &Disclaim($opinions)||die "drop dead $!";
Phone: (506) 856-2249
Email: mbs@mctnmail.nbnet.nb.ca _/\o_
______________________________________________________________________________