>> I was just asked to enforce security on our network by selecting
>> users on hosts. I thought using the +@ / -@ feature in /etc/passwd.
>> And I did:
>> tail /etc/passwd
>> sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdi
>> sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
>> -@u_students:
>> +::::::
>> Since the manual pages passwd(5) says:
>> -@netgroup means
>> to disallow any subsequent entries for all members of the
>> network group netgroup.
>> I thought that no students can log in this host.(because of the word
>> "subsequent"). But it fails. Why?
1. Some people told me this is a reverse order: I disallow students,
then I allow everyone. So they told me to write:
+::::::
-@u_students:
It doesn't work.
2. Some people told:
+@u_students::0:0::/no/home:/some/prog
I didn't test this. But doing this, people have
an account, of course with no login/rlogin/telnet.
But there are a lot of ways to execute commands: .forward,
rsh, on, ftp, etc. (yes, I know how to protect these first 4
but not how to protect the fifth...)
3. AN ANSWER IS to set a regular passwd line:
-@u_students::0:0::::
+::::::
Without the two '0', it doesn't work.
It's not quite normal because to allow people you just
have to say:
+@u_students:
So there is a dissymetry between allowing/disallowing.
And DEC/Ultrix undertand the short form (-@u_students:).
So I think there is a bug...
Thanks to:
brent@curie.ssctr.bcm.tmc.edu
paul@Concour.cs.Concordia.CA
jstewart@mailbox.syr.edu
trinkle@cs.purdue.edu
canuck@rice.edu
stern@sunne.East.Sun.COM
bernards@ECN.NL
tom@sees.bangor.ac.uk
mdl@cypress.com
matt@oddjob.uchicago.edu
butzer@cis.ohio-state.edu
stanonik@nprdc.navy.mil
phil@pex.eecs.nwu.edu
--Jacques Beigbeder
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:16 CDT