SUMMARY: netgroup / passwd

From: beig@FRULM63.BITNET
Date: Tue Nov 19 1991 - 01:29:38 CST


>> I was just asked to enforce security on our network by selecting
>> users on hosts. I thought using the +@ / -@ feature in /etc/passwd.
>> And I did:
>> tail /etc/passwd
>> sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdi
>> sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
>> -@u_students:
>> +::::::
>> Since the manual pages passwd(5) says:
>> -@netgroup means
>> to disallow any subsequent entries for all members of the
>> network group netgroup.
>> I thought that no students can log in this host.(because of the word
>> "subsequent"). But it fails. Why?
 
1. Some people told me this is a reverse order: I disallow students,
then I allow everyone. So they told me to write:
 
+::::::
-@u_students:
 
It doesn't work.
 
2. Some people told:
 
+@u_students::0:0::/no/home:/some/prog
 
I didn't test this. But doing this, people have
an account, of course with no login/rlogin/telnet.
But there are a lot of ways to execute commands: .forward,
rsh, on, ftp, etc. (yes, I know how to protect these first 4
but not how to protect the fifth...)
 
3. AN ANSWER IS to set a regular passwd line:
-@u_students::0:0::::
+::::::
 
Without the two '0', it doesn't work.
 
It's not quite normal because to allow people you just
have to say:
+@u_students:
 
So there is a dissymetry between allowing/disallowing.
And DEC/Ultrix undertand the short form (-@u_students:).
So I think there is a bug...
 
Thanks to:
        brent@curie.ssctr.bcm.tmc.edu
        paul@Concour.cs.Concordia.CA
        jstewart@mailbox.syr.edu
        trinkle@cs.purdue.edu
        canuck@rice.edu
        stern@sunne.East.Sun.COM
        bernards@ECN.NL
        tom@sees.bangor.ac.uk
        mdl@cypress.com
        matt@oddjob.uchicago.edu
        butzer@cis.ohio-state.edu
        stanonik@nprdc.navy.mil
        phil@pex.eecs.nwu.edu
 
  --Jacques Beigbeder
 



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:16 CDT