[plug] telnet server question
Bernd Felsche
bernie at innovative.iinet.net.au
Thu Jul 24 10:14:26 WST 2003
On Thu, Jul 24, 2003 at 09:18:19AM +0800, Craig Ringer wrote:
> >That's right... I think it'd take the window manager to handle that
> >gracefully...
> IMHO, the function would ideally be integrated into the login
> manager. That way, it allows the user to authenticate, then
I was wrong... I agree it should be the login manager because it's
already accessing the display.
> checks to ensure that the shell is in the list of allowed login
> shells. If it is not, the login manager never even starts a single
> process under the authenticated user, but instead informs them
> that their account is disabled.
>
> Ideally this would be a final pre-login check done in (say) gdm.
>
> Actually, this is how SCO OpenServer handles it, so it can't be
> that hard!
But that idea isn't worth USD$700. :-)
You can't use /etc/shells... it contains /bin/false, etc. which is
odd because:
<quote>
SHELLS(5) Linux Programmer's Manual SHELLS(5)
NAME
shells - pathnames of valid login shells
DESCRIPTION
/etc/shells is a text file which contains the full path
names of valid login shells. This file is consulted by
chsh(1) and available to be queried by other programs.
Be aware that there are programs which consult this file
to find out if a user is a normal user. E.g.: ftp daemons
traditionally disallow access to users with shells not
included in this file.
</quote>
So clearly /etc/shells should contain only "valid login shells",
which could be interpreted in a couple of ways; the worst being
what's allowed in the shell field of /etc/passwd, or _better_ what
constitutes a "valid login"; making it far more useful for a login
manager of all persuasions.
A warning is displayed when root does a chsh....
gudgeon:~ # chsh -s /sbin/nologin uucp
Changing login shell for uucp.
Warning: "/sbin/nologin" is not listed in /etc/shells
Shell changed.
But it still works.
How a window manager behaves when encountering an exception (of the
shell not in /etc/shells) is debatable; exec-ing the command and
directing output to a text panel in a dialogue seems like a good
idea. That way the luser has a chance to read and acknowledge the
message from nologin or other "shell" defined by an administrator.
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ / ASCII ribbon campaign | I'm a .signature virus!
X against HTML mail | Copy me into your ~/.signature
/ \ and postings | to help me spread!
More information about the plug
mailing list