I need to set up some (err, a lot) of user accounts for (pop) mail and
ftp access purposes. But disallow shell login access.
What I can do to achieve this - and it works well - is to create a
small script, thus:
#!/usr/bin/tail +6
#
# /etc/NOSHELL
#
# Login shell to prevent shell access for user accounts
#
#########################################################################
# #
# Sorry, you do not have login access. #
# If you need any special requirements, please contact GrowZone OnLine #
# #
#########################################################################
... then add /etc/NOSHELL to the login shell field of /etc/passwd
Attempts to login as one of these users works as expected... display
of the last few lines, then logs the user back out again. Sweet.
For ftp access to work, an entry for /etc/NOSHELL needs to be added
to /etc/shells - once done, also sweet.
However, I came across this comment in the sendmail FAQ where it talks
about allowing users to forward their mail to a program...
http://www.sendmail.org/faq/section3.html#3.11
It states:
NOTA BENE: DO NOT list /usr/local/etc/nologin in /etc/shells
-- this will open up other security problems.
Does adding a "noshell" to /etc/shells really open up security holes?
If so, what are they?
Are there any alternatives to this?
Aside:
One alternative we are currently using on many of our boxes here is
to actually disable telnet in /etc/inetd.conf, and then run
sshd/ssh2d as a daemon heavily wrapped in /etc/hosts.{allow,deny}
But this approach still begs the question about allowing ftp access
and, according to the sendmail FAQ, the security holes this is
supposed to create.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <Tony@growzone.com.au> Systems Administrator
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
