[3091] in bugtraq
Re: /etc/shells (was Re: procmail
daemon@ATHENA.MIT.EDU (Douglas Song)
Thu Aug 8 16:28:02 1996
Date: Thu, 8 Aug 1996 15:17:16 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Douglas Song <dugsong@umich.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.SOL.3.94.960808104612.16901E-100000@marvin>
On Thu, 8 Aug 1996, Jauder Ho wrote:
> how about extending the passwd fields one more after the shell so
> that mine would be something like
>
> auderho:x:1298:1:Jauder Ho:/export/home/jauderho:/usr/local/bin/tcsh:tf
>
> so let's say that t stands for telnet allowed, ftp allowed ...
> this allows pretty fine grained control over users.
We do user authorization based on AFS pts group membership. So a
machine service authorization file looks something like:
umich:lusers deny
system:anyuser ftp
umich:students login,ftp,ssh,xdm
umich:admins *
This is roughly similar in concept to what Wietse Venema did with
his login.access file for the logdaemon package, except that it extends
it to other services and utilizes AFS pts, not Unix, group membership.
I'm sure Wietse's code could be easily extended to accomodate different
services...
---
Douglas Song dugsong@{umich.edu,monkey.org}
University of Michigan ITD GPCC Unix Services
www: http://www-personal.umich.edu/~dugsong
keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4 7D 68 4A 50 E4 35 D1 17
