Wednesday, August 17, 2005

Restricting user access Email-only access

Restricting user access
Email-only access

Create a user account with a home directory of /dev/null and a shell
that does not permit logins, such as /bin/false or /dev/null.
FTP-only access

Set the user's shell to one that does not permit logins, such as
/bin/false or /dev/null.
Note: your FTP server may require that the user's shell is listed in
the /etc/shells file.
Preventing FTP access

Add the user's account name into /etc/ftpusers.
Restricted access

Set the user's shell to a restricted shell such as /bin/rksh or /bin/rsh.

This prevents:
1. Use of the cd command
2. Setting or changing the PATH variable
3. Specifying a command or filename containing a slash (/) -- only
filenames in the current directory can be used
4. Using output redirection (> or >>).
Restricting by user group

Add the following to /etc/profile:

if [ -n "`groups | grep {group_name}'" ] ; then
echo "Users from group {group_name} cannot login to this machine."
exit 1
fi

This would restrict telnet and rsh access for users using Bourne shell
or Korn shell. C shell users would still be able to access the
machine.

Thanks to Augustus Carter for sending the following method of
restricting C shell, Bourne shell, and Korn shell access on Solaris
systems.

The following will restrict the C Shell as well as Bourne and Korn
shells under Solaris 2.6, 7, 8, and 9 systems:

Create a text file called:
/etc/su_users.txt

This will have any entries of usernames like this:
luke
hans
leia

Add the following code to the /etc/profile file:

# 04-26-2002 - Restricts telnet and ssh access for batch user accounts
# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w | awk '(\$2=="'$TTY'"){print \$1}'`
for USERID in `cat /etc/su_users.txt`
do
if [ "$USER_TTY" = "$USERID" ]
then
echo
echo Interactive logins for the $USER_TTY user are disabled.
echo Please login with your user id and do a su - $USER_TTY.
echo
exit
fi
done

Add the following code to the /etc/.login file:

# 04-26-2002 - Restricts telnet and ssh access for batch user accounts
# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
set TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
set USER_TTY=`w|awk '{if ($2=="'$TTY'") print $1}'`
foreach USERID (`cat /etc/su_users.txt`)
if ( "$USER_TTY" == "$USERID" ) then
echo
echo Interactive logins for the $USER_TTY user are disabled.
echo Please login with your user id and do a su - $USER_TTY.
echo
logout
endif
end

0 Comments:

Post a Comment

<< Home