* using /etc/zshenv for access control
@ 1997-06-02 19:40 Timothy Luoma
1997-06-02 20:32 ` Richard Coleman
1997-06-02 21:03 ` Zoltan T. Hidvegi
0 siblings, 2 replies; 3+ messages in thread
From: Timothy Luoma @ 1997-06-02 19:40 UTC (permalink / raw)
To: zsh-users
Greetings all
Feel free to tell me if I'm a moron for trying this, but here's what I
want to do:
All my users have their shell as /usr/bin/zsh (which is 3.0.2)
What I want to do is deny _incoming_ telnet/rsh/rlogin/ftp access for
these users. However, I still want to be able to telnet/rlogin/ftp into
the machine.
For now let's forget ftp because that's a different beast. So I've
commented out 'rshd' and 'ftpd' in /etc/inetd.conf.
I've put this in /etc/zshenv:
#begin
# Note: I should have some 'trap' commands here
# to prevent people from getting around this
# which ones should I have?
PNAME=`/bin/ps -axlcw | awk '{ pid=$3; ppid[pid]=$4; \
name[pid]=$NF; } END { pid='$$';\
while (name[pid]==name[ppid[pid]]) pid=ppid[pid]; \
print name[ppid[pid]]; }'`
case $PNAME in
telnetd|rlogind)
echo "Direct access ($PNAME) denied"
exit 0
;;
esac
So that effectively takes care of any incoming telnet/rlogin connections,
right?
What I want to do instead is have anyone who wants to telnet/rlogin do so
to a single user whose login shell is _NOT_ /usr/bin/zsh but rather a
script like this:
#!/bin/sh
# need 'trap' commands here also
echo -n "What user do you want to login as: "
read user
# note: this user will not be a member of the group
# 'wheel' so he will not be able to 'su' to root
# but will have to go to a regular user account
exec /bin/su - $user
exit 0
Ok, here are the questions:
1) what 'trap' comments do I need in
a) /etc/zshenv
b) the above script?
2) what holes am I missing in the script?
3) right now this doesn't work at all because PNAME in /etc/zshenv still
thinks it is being called from telnetd or rlogind... should I use this in
the /bin/sh script instead?
exec /bin/sh -c /bin/su - $user
What do you think? Is this a totally bizarre idea? Would a /usr/bin/zsh
script be better than a /bin/sh one?
Does ZSH have a restricted path that I can set (ie
PATH=/usr/local/restricted/bin/ and that cannot be changed and programs
cannot be accessed directly such as /bin/ps)? If so how do I set this, at
compile time?
Thanks all
TjL
--
TjL <luomat@peak.org> / http://www.peak.org/~luomat/next/
"The best things in life are made into inferior
versions and bundled with the latest Microsoft systems"
NS/OS users: My 'other sites' page has been entirely reworked
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: using /etc/zshenv for access control
1997-06-02 19:40 using /etc/zshenv for access control Timothy Luoma
@ 1997-06-02 20:32 ` Richard Coleman
1997-06-02 21:03 ` Zoltan T. Hidvegi
1 sibling, 0 replies; 3+ messages in thread
From: Richard Coleman @ 1997-06-02 20:32 UTC (permalink / raw)
To: zsh-users
> All my users have their shell as /usr/bin/zsh (which is 3.0.2)
>
> What I want to do is deny _incoming_ telnet/rsh/rlogin/ftp access for
> these users. However, I still want to be able to telnet/rlogin/ftp into
> the machine.
>
> For now let's forget ftp because that's a different beast. So I've
> commented out 'rshd' and 'ftpd' in /etc/inetd.conf.
It would be much easier to handle this type of access control
if you install tcp_wrappers. I use it to block access to our
servers from everyone, but the sysadmins. It's pretty easy to
install.
ftp.win.tue.nl:/pub/security/
/rc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: using /etc/zshenv for access control
1997-06-02 19:40 using /etc/zshenv for access control Timothy Luoma
1997-06-02 20:32 ` Richard Coleman
@ 1997-06-02 21:03 ` Zoltan T. Hidvegi
1 sibling, 0 replies; 3+ messages in thread
From: Zoltan T. Hidvegi @ 1997-06-02 21:03 UTC (permalink / raw)
To: luomat; +Cc: zsh-users
Timothy Luoma wrote:
[...]
I havn't really looked at the scripts but here are some ideas:
> 1) what 'trap' comments do I need in
> a) /etc/zshenv
Unfortunately even if the first statement in /etc/zshenv is a trap
statement a user still have a chance to hit ^C or ^\ before that trap
statement executes. If the shell is setuid or restricted it quits on ^C
but normally the user just gets an interactive shell. A restricted shell
is still in non-restricted mode while it is executing startup scripts but
it drops into restricted mode as soon as the startup scripts are finished.
I'll try to modify zsh so that an explicit unsetopt restricted in the
startup scripts can be used to prevent this fallback. This way a
restricted login shell can be installed for the users which is protected
against signals, and the startup script can decide what shell the user
gets. Of course all this is for zsh-3.1 and this new restricted stuff will
probably go only into zsh-3.1.3 as I'd like to release 3.1.2 tonight as
soon as this job control bug Peter has just reported is fixed (which is
probably related to the SIGPIPE handling).
> 3) right now this doesn't work at all because PNAME in /etc/zshenv still
> thinks it is being called from telnetd or rlogind... should I use this in
> the /bin/sh script instead?
The PNAME is generated is a very complicated way in your script. Why don't
you use the $PPID zsh special parameter?
Zoltan
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~1997-06-02 21:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
1997-06-02 19:40 using /etc/zshenv for access control Timothy Luoma
1997-06-02 20:32 ` Richard Coleman
1997-06-02 21:03 ` Zoltan T. Hidvegi
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).