RE: How to Restrict a user, not a root, Login to the Console?
From: Myers, Mike (Mike.Myers_at_nwdc.net)
Date: Fri, 30 Jul 2004 08:43:27 -0700 To: firstname.lastname@example.org, email@example.com
We worked up a semi-solution to this (I call it a "semi" solution because I'm sure a determined person could work around it but it makes doing "the right thing" the path of least resistance).
This takes the form of a new "shell" which looks to see if the owner of the TTY is the same as the person running the shell. If they match, it's a regular login and it's blocked. If they don't match, it's probably an "su" to the account. At that point things get interesting.
If you still permit "rsh" connections an "rsh foobar /some/command" will end up with a TTY owned by root but be running under a non-root user id (rlogin or just "rsh foobar" sets the tty ownership correctly). Thus we must fall back to checking the TERM variable. If it's not set (rsh doesn't set it when it's passed a command), then we bail.
To make this work with startup files, we must set a dummy TERM variable in the /etc/init.d/XXX file before invoking the "su" to the user.
FTP connections will be blocked if you make sure /etc/shells exists and does NOT include this shell.
Oh yea, the shell also parses it's invocation name (eg. /usr/bin/sush_csh) to figure out what kind of "real" shell to spawn (the list of acceptable shells is hard coded into the program)
The code is fairly simple (134 lines with ~25% of them comments). I can send it to anyone who's interested.
- Mike Myers, Mike.Myers <at> nwdc.net