Consistent use of /usr/sbin/nologin.
PR: 239121
This commit is contained in:
Sergey Kandaurov
parent
3cb42f1269
commit
72a5e01739
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=53262
2 changed files with 22 additions and 22 deletions
|
|
@ -1802,19 +1802,19 @@ nis_client_enable="YES"</programlisting>
|
||||||
<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
|
<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
|
||||||
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
|
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
|
||||||
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
|
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
|
||||||
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
|
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
|
||||||
operator:*:2:5::0:0:System &:/:/sbin/nologin
|
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
|
||||||
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
|
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/usr/sbin/nologin
|
||||||
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
|
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
|
||||||
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
|
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
|
||||||
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
|
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
|
||||||
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
|
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
|
||||||
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
|
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
|
||||||
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
|
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
|
||||||
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
|
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
|
||||||
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
|
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/usr/sbin/nologin
|
||||||
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
|
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
|
||||||
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
|
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||||
-bill:::::::::
|
-bill:::::::::
|
||||||
+:::::::::
|
+:::::::::
|
||||||
|
|
||||||
|
|
@ -2075,18 +2075,18 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
|
||||||
user entries without allowing them to login into the servers.
|
user entries without allowing them to login into the servers.
|
||||||
This can be achieved by adding an extra line:</para>
|
This can be achieved by adding an extra line:</para>
|
||||||
|
|
||||||
<programlisting>+:::::::::/sbin/nologin</programlisting>
|
<programlisting>+:::::::::/usr/sbin/nologin</programlisting>
|
||||||
|
|
||||||
<para>This line configures the client to import all entries but
|
<para>This line configures the client to import all entries but
|
||||||
to replace the shell in those entries with
|
to replace the shell in those entries with
|
||||||
<filename>/sbin/nologin</filename>.</para>
|
<filename>/usr/sbin/nologin</filename>.</para>
|
||||||
|
|
||||||
<!-- Been there, done that, got the scars to prove it - ue -->
|
<!-- Been there, done that, got the scars to prove it - ue -->
|
||||||
<para>Make sure that extra line is placed
|
<para>Make sure that extra line is placed
|
||||||
<emphasis>after</emphasis>
|
<emphasis>after</emphasis>
|
||||||
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user
|
<literal>+@IT_EMP:::::::::</literal>. Otherwise, all user
|
||||||
accounts imported from <acronym>NIS</acronym> will have
|
accounts imported from <acronym>NIS</acronym> will have
|
||||||
<filename>/sbin/nologin</filename> as their login
|
<filename>/usr/sbin/nologin</filename> as their login
|
||||||
shell and no one will be able to login to the system.</para>
|
shell and no one will be able to login to the system.</para>
|
||||||
|
|
||||||
<para>To configure the less important servers, replace the old
|
<para>To configure the less important servers, replace the old
|
||||||
|
|
@ -2095,14 +2095,14 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
|
||||||
|
|
||||||
<programlisting>+@IT_EMP:::::::::
|
<programlisting>+@IT_EMP:::::::::
|
||||||
+@IT_APP:::::::::
|
+@IT_APP:::::::::
|
||||||
+:::::::::/sbin/nologin</programlisting>
|
+:::::::::/usr/sbin/nologin</programlisting>
|
||||||
|
|
||||||
<para>The corresponding lines for the workstations
|
<para>The corresponding lines for the workstations
|
||||||
would be:</para>
|
would be:</para>
|
||||||
|
|
||||||
<programlisting>+@IT_EMP:::::::::
|
<programlisting>+@IT_EMP:::::::::
|
||||||
+@USERS:::::::::
|
+@USERS:::::::::
|
||||||
+:::::::::/sbin/nologin</programlisting>
|
+:::::::::/usr/sbin/nologin</programlisting>
|
||||||
|
|
||||||
<para>NIS supports the creation of netgroups from other
|
<para>NIS supports the creation of netgroups from other
|
||||||
netgroups which can be useful if the policy regarding user
|
netgroups which can be useful if the policy regarding user
|
||||||
|
|
@ -2134,12 +2134,12 @@ USERBOX IT_EMP ITINTERN USERS</programlisting>
|
||||||
system contains two lines starting with <quote>+</quote>.
|
system contains two lines starting with <quote>+</quote>.
|
||||||
The first line adds a netgroup with the accounts allowed to
|
The first line adds a netgroup with the accounts allowed to
|
||||||
login onto this machine and the second line adds all other
|
login onto this machine and the second line adds all other
|
||||||
accounts with <filename>/sbin/nologin</filename> as shell. It
|
accounts with <filename>/usr/sbin/nologin</filename> as shell.
|
||||||
is recommended to use the <quote>ALL-CAPS</quote> version of
|
It is recommended to use the <quote>ALL-CAPS</quote> version
|
||||||
the hostname as the name of the netgroup:</para>
|
of the hostname as the name of the netgroup:</para>
|
||||||
|
|
||||||
<programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
|
<programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
|
||||||
+:::::::::/sbin/nologin</programlisting>
|
+:::::::::/usr/sbin/nologin</programlisting>
|
||||||
|
|
||||||
<para>Once this task is completed on all the machines, there is
|
<para>Once this task is completed on all the machines, there is
|
||||||
no longer a need to modify the local versions of
|
no longer a need to modify the local versions of
|
||||||
|
|
|
||||||
|
|
@ -191,7 +191,7 @@
|
||||||
<screen>&prompt.root; <userinput>pw lock <replaceable>toor</replaceable></userinput></screen>
|
<screen>&prompt.root; <userinput>pw lock <replaceable>toor</replaceable></userinput></screen>
|
||||||
|
|
||||||
<para>The second method is to prevent login access by changing
|
<para>The second method is to prevent login access by changing
|
||||||
the shell to <filename>/sbin/nologin</filename>. Only the
|
the shell to <filename>/usr/sbin/nologin</filename>. Only the
|
||||||
superuser can change the shell for other users:</para>
|
superuser can change the shell for other users:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin <replaceable>toor</replaceable></userinput></screen>
|
<screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin <replaceable>toor</replaceable></userinput></screen>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue