[836] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] wu.ftp, ftpaccess, and /bin/false shell

daemon@ATHENA.MIT.EDU (Matt Stainforth)
Fri Jun 21 12:16:00 1996

Date: Thu, 20 Jun 1996 08:41:07 -0300 (ADT)
From: Matt Stainforth <mbs@mctnmail.nbnet.nb.ca>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960620082226.12815D-100000@mctnmail.nbnet.nb.ca>

On Mon, 17 Jun 1996, Yury Shevchuk wrote:

> IMHO, this is an overlook in wu-ftpd: the daemon denies access to
> users whose shells are not listed in /etc/shells.  Adding /etc/ftponly
> (or /bin/false) to /etc/shells is not the right way to go, though,
> since doing so would be against the definition of /etc/shells: that
> file should list only true unrestricted command interpreters (note:
> /usr/bin/chsh).
> 

I believe that rather than an oversight in wu-ftpd, it is a built-in 
feature.  Many administrators use a non-standard shell in order to lock 
accounts.  Something like this is what I use:

#!/usr/bin/perl

# This is the shell used for locked accounts
# -Matt Stainforth

print "Sorry, this account is locked.\n\n";

if ( -r "$ENV{'HOME'}/.lockreason" ){
  open (LKR, "$ENV{'HOME'}/.lockreason");
  while (<LKR>){
    print;
  }
  close (LKR);
  chop ($sleep = `wc -w $ENV{'HOME'}/.lockreason`);
  $sleep = $1 if $sleep =~ /^\s*(d+)/;
  $sleep = 10 if $sleep < 10;
}
else{
  $sleep=5
}
print "Contact the Computing Services UNIX administrator for more information.\n";
sleep $sleep;
exit 1;

This shell is not listed in /etc/shells and so if it is made a user's 
default shell, the account is truly locked.  No telnet and no FTP access.

Matt...
______________________________________________________________________________
Matthew Stainforth           
Information Systems Analyst           require "disclaim.pl";       
NBCC - Moncton Campus          &Disclaim($opinions)||die "drop dead $!"; 
Phone: (506) 856-2249            
Email: mbs@mctnmail.nbnet.nb.ca               _/\o_ 
______________________________________________________________________________ 




home help back first fref pref prev next nref lref last post