Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request From: mikem@xn.ll.mit.edu (Michael Maciolek) Newsgroups: comp.sys.sun Subject: Re: Securing the Server Keywords: Networks Message-ID: <1340@xn.LL.MIT.EDU> Date: 24 Apr 89 10:28:05 GMT References: <3086@udccvax1.acs.udel.EDU> Sender: usenet@rice.edu Organization: MIT Lincoln Laboratory, Lexington, MA Lines: 115 Approved: Sun-Spots@rice.edu Original-Date: 1 Apr 89 01:15:18 GMT X-Sun-Spots-Digest: Volume 7, Issue 243, message 4 of 8 (The original poster wanted a way to keep some users from rlogging into the fileserver, with various other limitations) I don't know if there's a more elegant solution; this one's kind of tricky and something of a kludge, but I'm doing something similar and it works fine for us. I also don't know if this will meet all your requirements; I assume it's okay if users are unable to login at the server's console, as well as being unable to login through telnet or rlogin? The idea is that when a user logs in, instead of starting his/her normal login shell, you call an authorization checker. If the user is logging in on any machine *except* the server, control is passed to the shell...but if the user tries to login on the server, s/he must pass an authorization test. I've included a piece of code in which the user must be a member of a special group (in this case, group number 15) in order to log into the machine which has a hostname of "servername". If the user is accepted, s/he begins executing the specified shell. If you have some users who prefer a different login shell - sh or ksh or tcsh, you'll need a separate version of this program for each shell you intend to support (there are ways around this. hint: use argv[0]) You'll need to add a line to your /etc/group file which lists all users who are privileged to login to the server. The group name is irrelevant, as long as the group number matches the #defined constant "MAGIC". If you have any questions, send mail to mikem@juliet.ll.mit.edu (preferred) mikem@xn.ll.mit.edu (only if "juliet" bounces) Michael Maciolek (617) 981-3174 Group 43 SysAdmin MIT/Lincoln Laboratory ------------------cut here------------------------------------------------------ /* * Copyright (c) 1989 Michael J. Maciolek * * Permission is granted to anyone to make or distribute verbatim copies * of this document as received, in any medium, provided that the copyright * notice and permission notice are preserved, and that the distributor * grants the recipient permission for further redistribution as permitted * by this notice. * */ /* * Disclaimer * * The recipient accepts full responsibility for determining the suitability * of this software for his/her particular application, and for any damages * arising from the use of said software. The recipient shall in no event * hold Michael J. Maciolek or the Massachusetts Institute of Technology or * MIT/Lincoln Laboratory liable for any damages arising from the use of * this software. * */ /* * That ought to keep the lawyers happy! :-) */ #include #include #define MAGIC 15 #define SERVER "servername" #define SHELL "/bin/csh" main(argc,argv,envp) int argc; char *argv[],*envp[]; { int rv,i,glist[NGROUPS],hostname[MAXHOSTNAMELEN]; /* what is my hostname? */ rv = gethostname(hostname,MAXHOSTNAMELEN); if (rv < 0) { perror("gethostname"); exit(errno); } /* of which groups am I a member? */ rv = getgroups(NGROUPS,glist); if (rv < 0) { perror("getgroups"); exit(errno); } /* See if one of my groups is the MAGIC group */ for (i=0; i