Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

using /etc/zshenv for access control



Greetings all

Feel free to tell me if I'm a moron for trying this, but here's what I
want to do:

All my users have their shell as /usr/bin/zsh (which is 3.0.2)

What I want to do is deny _incoming_ telnet/rsh/rlogin/ftp access for
these users.  However, I still want to be able to telnet/rlogin/ftp into
the machine.

For now let's forget ftp because that's a different beast.  So I've
commented out 'rshd' and 'ftpd' in /etc/inetd.conf.

I've put this in /etc/zshenv:

#begin

# Note: I should have some 'trap' commands here
# to prevent people from getting around this
# which ones should I have?

PNAME=`/bin/ps -axlcw | awk '{ pid=$3; ppid[pid]=$4; \
name[pid]=$NF; } END { pid='$$';\
while (name[pid]==name[ppid[pid]]) pid=ppid[pid]; \
print name[ppid[pid]]; }'`


case $PNAME in
	telnetd|rlogind) 
		echo "Direct access ($PNAME) denied" 
		exit 0
	;;
esac

So that effectively takes care of any incoming telnet/rlogin connections,
right?

What I want to do instead is have anyone who wants to telnet/rlogin do so
to a single user whose login shell is _NOT_ /usr/bin/zsh but rather a
script like this:


#!/bin/sh

# need 'trap' commands here also

echo -n "What user do you want to login as: "
read user

# note: this user will not be a member of the group 
# 'wheel' so he will not be able to 'su' to root
# but will have to go to a regular user account
exec /bin/su - $user
exit 0


Ok, here are the questions:

1) what 'trap' comments do I need in  
	a) /etc/zshenv
	b) the above script?

2) what holes am I missing in the script?

3) right now this doesn't work at all because PNAME in /etc/zshenv still
thinks it is being called from telnetd or rlogind... should I use this in
the /bin/sh script instead?

exec /bin/sh -c /bin/su - $user


What do you think?  Is this a totally bizarre idea? Would a /usr/bin/zsh
script be better than a /bin/sh one?

Does ZSH have a restricted path that I can set (ie
PATH=/usr/local/restricted/bin/ and that cannot be changed and programs
cannot be accessed directly such as /bin/ps)? If so how do I set this, at 
compile time?

Thanks all

TjL

-- 
TjL <luomat@xxxxxxxx>   / http://www.peak.org/~luomat/next/ 
"The best things in life are made into inferior 
 versions and bundled with the latest Microsoft systems"
NS/OS users: My 'other sites' page has been entirely reworked





Messages sorted by: Reverse Date, Date, Thread, Author