Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
using /etc/zshenv for access control
- X-seq: zsh-users 876
- From: Timothy Luoma <luomat@xxxxxxxx>
- To: zsh-users@xxxxxxxxxxxxxxx
- Subject: using /etc/zshenv for access control
- Date: Mon, 2 Jun 1997 12:40:11 -0700 (PDT)
- Organization: The PEAK FTP site for OpenStep & NeXTStep
- Reply-to: Tim Luoma <luomat@xxxxxxxx>
Greetings all
Feel free to tell me if I'm a moron for trying this, but here's what I
want to do:
All my users have their shell as /usr/bin/zsh (which is 3.0.2)
What I want to do is deny _incoming_ telnet/rsh/rlogin/ftp access for
these users. However, I still want to be able to telnet/rlogin/ftp into
the machine.
For now let's forget ftp because that's a different beast. So I've
commented out 'rshd' and 'ftpd' in /etc/inetd.conf.
I've put this in /etc/zshenv:
#begin
# Note: I should have some 'trap' commands here
# to prevent people from getting around this
# which ones should I have?
PNAME=`/bin/ps -axlcw | awk '{ pid=$3; ppid[pid]=$4; \
name[pid]=$NF; } END { pid='$$';\
while (name[pid]==name[ppid[pid]]) pid=ppid[pid]; \
print name[ppid[pid]]; }'`
case $PNAME in
telnetd|rlogind)
echo "Direct access ($PNAME) denied"
exit 0
;;
esac
So that effectively takes care of any incoming telnet/rlogin connections,
right?
What I want to do instead is have anyone who wants to telnet/rlogin do so
to a single user whose login shell is _NOT_ /usr/bin/zsh but rather a
script like this:
#!/bin/sh
# need 'trap' commands here also
echo -n "What user do you want to login as: "
read user
# note: this user will not be a member of the group
# 'wheel' so he will not be able to 'su' to root
# but will have to go to a regular user account
exec /bin/su - $user
exit 0
Ok, here are the questions:
1) what 'trap' comments do I need in
a) /etc/zshenv
b) the above script?
2) what holes am I missing in the script?
3) right now this doesn't work at all because PNAME in /etc/zshenv still
thinks it is being called from telnetd or rlogind... should I use this in
the /bin/sh script instead?
exec /bin/sh -c /bin/su - $user
What do you think? Is this a totally bizarre idea? Would a /usr/bin/zsh
script be better than a /bin/sh one?
Does ZSH have a restricted path that I can set (ie
PATH=/usr/local/restricted/bin/ and that cannot be changed and programs
cannot be accessed directly such as /bin/ps)? If so how do I set this, at
compile time?
Thanks all
TjL
--
TjL <luomat@xxxxxxxx> / http://www.peak.org/~luomat/next/
"The best things in life are made into inferior
versions and bundled with the latest Microsoft systems"
NS/OS users: My 'other sites' page has been entirely reworked
Messages sorted by:
Reverse Date,
Date,
Thread,
Author