Got this great notes from brandonhutchinson.com. It's a must to read through it.
Email-only access
Create a user account with a home directory of /dev/null and a shell that does not permit logins, such as /bin/false or /dev/null.
FTP-only access
Set the user's shell to one that does not permit logins, such as /bin/false or /dev/null.
Note: your FTP server may require that the user's shell is listed in the /etc/shells file.
Preventing FTP access
Add the user's account name into /etc/ftpusers.
Restricted access
Set the user's shell to a restricted shell such as /bin/rksh or /bin/rsh.
This prevents:
1. Use of the cd command
2. Setting or changing the PATH variable
3. Specifying a command or filename containing a slash (/) -- only filenames in the current directory can be used4. Using output redirection (> or >>).
Restricting by user group
Add the following to /etc/profile:
if [ -n "`groups grep {group_name}'" ] ; then
echo "Users from group {group_name} cannot login to this machine."
exit 1
fi
This would restrict telnet and rsh access for users using Bourne shell or Korn shell. C shell users would still be able to access the machine.
The following will restrict the C Shell as well as Bourne and Korn shells under Solaris 2.6, 7, 8, and 9 systems:
Create a text file called:/etc/su_users.txt
This will have any entries of usernames like this :
luke
hans
leia
Add the following code to the /etc/profile file:
# 04-26-2002 - Restricts telnet and ssh access for batch user accounts
# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
TTY=`tty awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w awk '(\$2=="'$TTY'"){print \$1}'`
for USERID in `cat /etc/su_users.txt`
do
if [ "$USER_TTY" = "$USERID" ]
then
echo
echo Interactive logins for the $USER_TTY user are disabled.
echo Please login with your user id and do a su - $USER_TTY.
echo
exit
fi
done
Add the following code to the /etc/.login file:
# 04-26-2002 - Restricts telnet and ssh access for batch user accounts# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
set TTY=`tty awk -F/ '{printf ($3"/"$4)}'`
set USER_TTY=`wawk '{if ($2=="'$TTY'") print $1}'`
foreach USERID (`cat /etc/su_users.txt`)
if ( "$USER_TTY" == "$USERID" ) then
echo
echo Interactive logins for the $USER_TTY user are disabled.
echo Please login with your user id and do a su - $USER_TTY.
echo
logout
endif
end
0 comments:
Post a Comment