netgroup / passwd
2007-12-25 7:26:00
>> users on hosts. I thought using the +@ / -@ feature in /etc/passwd.
>> And I did:
>> tail /etc/passwd
>> sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdi
>> sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
>> -@u_students:
>> +::::::
>> Since the manual pages passwd(5) says:
>> -@netgroup means
>> to disallow any subsequent entries for all members of the
>> network group netgroup.
>> I thought that no students can log in this host.(because of the word
>> "subsequent"). But it fails. Why?
1. Some people told me this is a reverse order: I disallow students,
then I allow everyone. So they told me to write:
+::::::
-@u_students:
It doesn't work.
2. Some people told:
+@u_students::0:0::/no/home:/some/prog
I didn't test this. But doing this, people have
an account, of course with no login/rlogin/telnet.
But there are a lot of ways to execute commands: .forward,
rsh, on, ftp, etc. (yes, I know how to protect these first 4
but not how to protect the fifth...)
3. AN ANSWER IS to set a regular passwd line:
-@u_students::0:0::::
+::::::
Without the two '0', it doesn't work.
It's not quite normal because to allow people you just
have to say:
+@u_students:
So there is a dissymetry between allowing/disallowing.
And DEC/Ultrix undertand the short form (-@u_students:).
So I think there is a bug...
Thanks to:
--Jacques Beigbeder
Comments
Got something to say?
You must be logged in to post a comment.
