From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26148 invoked from network); 2 Jun 1997 20:00:44 -0000 Received: from euclid.skiles.gatech.edu (list@130.207.146.50) by ns1.primenet.com.au with SMTP; 2 Jun 1997 20:00:44 -0000 Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id PAA01198; Mon, 2 Jun 1997 15:37:30 -0400 (EDT) Resent-Date: Mon, 2 Jun 1997 15:36:11 -0400 (EDT) Date: Mon, 2 Jun 1997 12:40:11 -0700 (PDT) From: Timothy Luoma X-Sender: luomat@kira Reply-To: Tim Luoma To: zsh-users@math.gatech.edu Subject: using /etc/zshenv for access control Message-ID: Organization: The PEAK FTP site for OpenStep & NeXTStep X-FTP: ftp://ftp.next.peak.org/pub/next/ X-URL: http://www.next.peak.org/~luomat MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"Z-mQi1.0.ZH.g2oap"@euclid> Resent-From: zsh-users@math.gatech.edu X-Mailing-List: archive/latest/876 X-Loop: zsh-users@math.gatech.edu X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu Greetings all Feel free to tell me if I'm a moron for trying this, but here's what I want to do: All my users have their shell as /usr/bin/zsh (which is 3.0.2) What I want to do is deny _incoming_ telnet/rsh/rlogin/ftp access for these users. However, I still want to be able to telnet/rlogin/ftp into the machine. For now let's forget ftp because that's a different beast. So I've commented out 'rshd' and 'ftpd' in /etc/inetd.conf. I've put this in /etc/zshenv: #begin # Note: I should have some 'trap' commands here # to prevent people from getting around this # which ones should I have? PNAME=`/bin/ps -axlcw | awk '{ pid=$3; ppid[pid]=$4; \ name[pid]=$NF; } END { pid='$$';\ while (name[pid]==name[ppid[pid]]) pid=ppid[pid]; \ print name[ppid[pid]]; }'` case $PNAME in telnetd|rlogind) echo "Direct access ($PNAME) denied" exit 0 ;; esac So that effectively takes care of any incoming telnet/rlogin connections, right? What I want to do instead is have anyone who wants to telnet/rlogin do so to a single user whose login shell is _NOT_ /usr/bin/zsh but rather a script like this: #!/bin/sh # need 'trap' commands here also echo -n "What user do you want to login as: " read user # note: this user will not be a member of the group # 'wheel' so he will not be able to 'su' to root # but will have to go to a regular user account exec /bin/su - $user exit 0 Ok, here are the questions: 1) what 'trap' comments do I need in a) /etc/zshenv b) the above script? 2) what holes am I missing in the script? 3) right now this doesn't work at all because PNAME in /etc/zshenv still thinks it is being called from telnetd or rlogind... should I use this in the /bin/sh script instead? exec /bin/sh -c /bin/su - $user What do you think? Is this a totally bizarre idea? Would a /usr/bin/zsh script be better than a /bin/sh one? Does ZSH have a restricted path that I can set (ie PATH=/usr/local/restricted/bin/ and that cannot be changed and programs cannot be accessed directly such as /bin/ps)? If so how do I set this, at compile time? Thanks all TjL -- TjL / http://www.peak.org/~luomat/next/ "The best things in life are made into inferior versions and bundled with the latest Microsoft systems" NS/OS users: My 'other sites' page has been entirely reworked