Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

/bin/nologin scripts

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Joined
Jan 1, 1970
Messages
0
Hi all, can you try and help?

If i used the below script would i be safe from intruders?
Could somebody run arbitrary code If I used this script?
Regards,
Gareth
Ps – thank you to anybody that replies


################start###############
#!/bin/sh

TEMP=`date "+%y%m%d%H%M%S"`
touch /tmp/log.$TEMP
echo
echo Login not permitted on this account
echo

echo "Subject: Illegal login" >>/tmp/log.$TEMP
echo " " >>/tmp/log.$TEMP
who am i >>/tmp/log.$TEMP
uname -a >>/tmp/log.$TEMP

/usr/lib/sendmail -t sec@sdplc.com </tmp/log.$TEMP
rm /tmp/log.$TEMP

########end#########
 
Sort by date Sort by votes
Would the script be executed from (for example) /etc/profile or .profile on logging in? I think you would probably need to include a test for the username(s) you're trying to exclude. Can you be more specific, please?
 
Upvote 0 Downvote
thanks for the response
I was going to set this as the shell in the password file.
So if a mail user tried to login via ssh (apposed to POP) etc the shell would run but they would get kicked out.

Am i on the right lines?
 
Upvote 0 Downvote
Hmmm. I've never seen it done this way (but others may well have). I guess it's possible, but be careful that the user isn't able to break out of the script before they are kicked out. Presumably you'll also need an exit in there to kill off the session? Sorry to be so vague, but why not give it a go with a test user and see whether it works. I'd be interested to see the result. Cheers.

As an afterthought, it's possible that if you don't include this 'shell' in a file called /etc/shells (you can create one if it doesn't exist, see man shells), the user with the shell won't be able to login anyway. HTH.
 
Upvote 0 Downvote
Gareth,
I'm not so sure what you are trying to achieve here but lets asume that you have email users and telnet/ssh users and you only want valid users to access the command line?

I would first turn off telnet alltogether and ask your telnet users to access the server with a ssh client like PuTTy, then I would add two lines in the sshd_conf at the bottom that says:

#AllowUsers &quot;This is a list of users allowed to ssh into the server each seperated by a space&quot;
AllowUsers fred bob tom admin jill

Then restart the sshd deamon. You will have a small overhead in that you need to update this file each system/ssh user you add.

Also I would find all users in the /etc/passwd file that should NOT have either telnet or ssh access and change the shell {last field of the password string} to /bin/noshell

This will reject them if they try to login via telnet or ssh, pop and smtp users will not be affected.

Hope this helps
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

azahid09
  • Locked
  • Question Question
Solaris bind: 9.6.1-P3
Replies
4
Views
282
azahid09
azahid09
maunir
  • Locked
  • Question Question
/usr/local/bin/sock
Replies
1
Views
146
spamly
spamly
vg2511
  • Locked
  • Question Question
nologin accounts instead of /bin/ksh
Replies
3
Views
192
Annihilannic
Annihilannic
jehig
  • Locked
  • Question Question
unable to run scripts get ^M' unexpected
Replies
5
Views
289
Tolson
Tolson
gallows
  • Locked
  • Question Question
My /usr/bin/ls command is trashed
Replies
4
Views
176
daFranze
daFranze

Part and Inventory Search

Sponsor

Back
Top