nologin for users
Bill Maltby at home
billm at wlmcs.wlmcs.com
Tue Feb 19 10:02:21 PST 2002
You can do what you want once an executable is generated that has root privs,
like login has. You can also replace login with what you right to provide a
completely different security scheme. It is controlled in initab. That deter-
mines what starts on a (potential) terminal like tty1, ttyS1, etc. It can
start mingetty, getty, or your own program. The various getty programs gen-
erally are coded or parameterized to call login when a connection is estab-
lished and login then takes care of security issues.
However, you can right a custom prog and use "your getty" or "your login".
Also, the psuedo-users you mentioned can be restriced with rsh (restricted
shell). You'll have to see the man page for details on that.
billm at wlmcs.com
In article <a4u2u8$su8$1 at shadowfax.linuxfromscratch.org>,
Gregory Davis <gdavis7 at umbc.edu> writes:
>Login has documentation on how to stop all users but root from logging into
>a system. Otherwise, all users may login. This poses a threat, I think,
>for users like "nobody" that aren't really users, but rather are dummy
>users. Assuming I set a password for that account, passwords can still be
>cracked, and that would lead to a security defect. I have seen on other
>non-LFS systems a passwd file that lists the login shell of such dummy
>users as /sbin/nologin or /sbin/false. What is the theory behind those,
>and are they simply nonshell programs? For instance, can I just write a
>program in my favorite language (C/C++) that prints an error message and
>returns exit failure to the OS, and use that as the /sbin/nologin shell?
>P.S. I didn't find anything along these lines in the LFS book in chapter 5
>(passwd and group) or in the BLFS cvs book, where is this appropriate?
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security