Re: using /etc/zshenv for access control

[<hzoli@xxxxxxxxxxxx> (Zoltan T. Hidvegi)]

Timothy Luoma wrote:
[...]

I havn't really looked at the scripts but here are some ideas:

> 1) what 'trap' comments do I need in
>       a) /etc/zshenv

Unfortunately even if the first statement in /etc/zshenv is a trap
statement a user still have a chance to hit ^C or ^\ before that trap
statement executes.  If the shell is setuid or restricted it quits on ^C
but normally the user just gets an interactive shell.  A restricted shell
is still in non-restricted mode while it is executing startup scripts but
it drops into restricted mode as soon as the startup scripts are finished.
I'll try to modify zsh so that an explicit unsetopt restricted in the
startup scripts can be used to prevent this fallback.  This way a
restricted login shell can be installed for the users which is protected
against signals, and the startup script can decide what shell the user
gets.  Of course all this is for zsh-3.1 and this new restricted stuff will
probably go only into zsh-3.1.3 as I'd like to release 3.1.2 tonight as
soon as this job control bug Peter has just reported is fixed (which is
probably related to the SIGPIPE handling).

> 3) right now this doesn't work at all because PNAME in /etc/zshenv still
> thinks it is being called from telnetd or rlogind... should I use this in
> the /bin/sh script instead?

The PNAME is generated is a very complicated way in your script.  Why don't
you use the $PPID zsh special parameter?

Zoltan