Consistent use of /usr/sbin/nologin.
PR: 239121
This commit is contained in:
Sergey Kandaurov
parent
3cb42f1269
commit
72a5e01739
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=53262
2 changed files with 22 additions and 22 deletions
|
|
@ -1802,19 +1802,19 @@ nis_client_enable="YES"</programlisting>
|
|||
<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
|
||||
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
|
||||
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
|
||||
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
|
||||
operator:*:2:5::0:0:System &:/:/sbin/nologin
|
||||
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
|
||||
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
|
||||
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
|
||||
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
|
||||
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
|
||||
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
|
||||
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
|
||||
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
|
||||
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
|
||||
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/usr/sbin/nologin
|
||||
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
|
||||
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
|
||||
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
|
||||
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
|
||||
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
|
||||
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
|
||||
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
|
||||
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
|
||||
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
|
||||
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
|
||||
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/usr/sbin/nologin
|
||||
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
|
||||
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||
-bill:::::::::
|
||||
+:::::::::
|
||||
|
||||
|
|
@ -2075,18 +2075,18 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
|
|||
user entries without allowing them to login into the servers.
|
||||
This can be achieved by adding an extra line:</para>
|
||||
|
||||
<programlisting>+:::::::::/sbin/nologin</programlisting>
|
||||
<programlisting>+:::::::::/usr/sbin/nologin</programlisting>
|
||||
|
||||
<para>This line configures the client to import all entries but
|
||||
to replace the shell in those entries with
|
||||
<filename>/sbin/nologin</filename>.</para>
|
||||
<filename>/usr/sbin/nologin</filename>.</para>
|
||||
|
||||
<!-- Been there, done that, got the scars to prove it - ue -->
|
||||
<para>Make sure that extra line is placed
|
||||
<emphasis>after</emphasis>
|
||||
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user
|
||||
accounts imported from <acronym>NIS</acronym> will have
|
||||
<filename>/sbin/nologin</filename> as their login
|
||||
<filename>/usr/sbin/nologin</filename> as their login
|
||||
shell and no one will be able to login to the system.</para>
|
||||
|
||||
<para>To configure the less important servers, replace the old
|
||||
|
|
@ -2095,14 +2095,14 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
|
|||
|
||||
<programlisting>+@IT_EMP:::::::::
|
||||
+@IT_APP:::::::::
|
||||
+:::::::::/sbin/nologin</programlisting>
|
||||
+:::::::::/usr/sbin/nologin</programlisting>
|
||||
|
||||
<para>The corresponding lines for the workstations
|
||||
would be:</para>
|
||||
|
||||
<programlisting>+@IT_EMP:::::::::
|
||||
+@USERS:::::::::
|
||||
+:::::::::/sbin/nologin</programlisting>
|
||||
+:::::::::/usr/sbin/nologin</programlisting>
|
||||
|
||||
<para>NIS supports the creation of netgroups from other
|
||||
netgroups which can be useful if the policy regarding user
|
||||
|
|
@ -2134,12 +2134,12 @@ USERBOX IT_EMP ITINTERN USERS</programlisting>
|
|||
system contains two lines starting with <quote>+</quote>.
|
||||
The first line adds a netgroup with the accounts allowed to
|
||||
login onto this machine and the second line adds all other
|
||||
accounts with <filename>/sbin/nologin</filename> as shell. It
|
||||
is recommended to use the <quote>ALL-CAPS</quote> version of
|
||||
the hostname as the name of the netgroup:</para>
|
||||
accounts with <filename>/usr/sbin/nologin</filename> as shell.
|
||||
It is recommended to use the <quote>ALL-CAPS</quote> version
|
||||
of the hostname as the name of the netgroup:</para>
|
||||
|
||||
<programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
|
||||
+:::::::::/sbin/nologin</programlisting>
|
||||
+:::::::::/usr/sbin/nologin</programlisting>
|
||||
|
||||
<para>Once this task is completed on all the machines, there is
|
||||
no longer a need to modify the local versions of
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@
|
|||
<screen>&prompt.root; <userinput>pw lock <replaceable>toor</replaceable></userinput></screen>
|
||||
|
||||
<para>The second method is to prevent login access by changing
|
||||
the shell to <filename>/sbin/nologin</filename>. Only the
|
||||
the shell to <filename>/usr/sbin/nologin</filename>. Only the
|
||||
superuser can change the shell for other users:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin <replaceable>toor</replaceable></userinput></screen>
|
||||
|
|
|
|||
Loading…
Reference in a new issue