Securing the Server
George Young
young at ll-vlsi.arpa
Sat Apr 22 09:44:12 AEST 1989
We do limit access to our servers by using a separate passwd file, but
using the wildcard feature of yp to retain uid-username knowledge and
restricted rsh access for ordinary users. The passwd file looks like:
root:opqrstuvwxyz:0:1:Operator:/:/bin/csh
nobody:*:-2:-2::/:
daemon:*:1:1::/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
laser:AbCdEfGhIjKl:34:2:&:/common/home/laser:/bin/csh
+:nologin:0:0:::/etc/login-disabled
where /etc/login-disabled is the script:
#!/bin/csh -f
if { /usr/bin/tty -s } then #must be a login if it has a terminal
echo Login to server is not allowed because of detrimental effect on file serving.
else
shift #shift out the first arg "-c" inserted by rsh
setenv SHELL /bin/csh
limit cputime 480seconds
limit memoryuse 240kbytes
limit datasize 2.5megabytes
nice +2
exec /bin/csh -c "$*"
endif
This arrangement gives 'root' and 'laser' full privileges. All others
have rsh access only (with resources limited), to allow use of the
server's tape drive. This is not intended to be absolutely secure, but
keeps people from casually logging and running huge jobs on the file
server.
George Young, Rm. B-141 young at ll-vlsi.arpa
MIT Lincoln Laboratory young at vlsi.ll.mit.edu
244 Wood St.
Lexington, Massachusetts 02173 (617) 981-2756
More information about the Comp.sys.sun
mailing list