Securing the Server
Michael Maciolek
mikem at xn.ll.mit.edu
Mon Apr 24 20:28:05 AEST 1989
(The original poster wanted a way to keep some users from rlogging into
the fileserver, with various other limitations)
I don't know if there's a more elegant solution; this one's kind of tricky
and something of a kludge, but I'm doing something similar and it works
fine for us.
I also don't know if this will meet all your requirements; I assume it's
okay if users are unable to login at the server's console, as well as
being unable to login through telnet or rlogin?
The idea is that when a user logs in, instead of starting his/her normal
login shell, you call an authorization checker. If the user is logging in
on any machine *except* the server, control is passed to the shell...but
if the user tries to login on the server, s/he must pass an authorization
test.
I've included a piece of code in which the user must be a member of a
special group (in this case, group number 15) in order to log into the
machine which has a hostname of "servername". If the user is accepted,
s/he begins executing the specified shell.
If you have some users who prefer a different login shell - sh or ksh or
tcsh, you'll need a separate version of this program for each shell you
intend to support (there are ways around this. hint: use argv[0])
You'll need to add a line to your /etc/group file which lists all users
who are privileged to login to the server. The group name is irrelevant,
as long as the group number matches the #defined constant "MAGIC".
If you have any questions, send mail to
mikem at juliet.ll.mit.edu (preferred)
mikem at xn.ll.mit.edu (only if "juliet" bounces)
Michael Maciolek (617) 981-3174
Group 43 SysAdmin MIT/Lincoln Laboratory
------------------cut here------------------------------------------------------
/*
* Copyright (c) 1989 Michael J. Maciolek
*
* Permission is granted to anyone to make or distribute verbatim copies
* of this document as received, in any medium, provided that the copyright
* notice and permission notice are preserved, and that the distributor
* grants the recipient permission for further redistribution as permitted
* by this notice.
*
*/
/*
* Disclaimer
*
* The recipient accepts full responsibility for determining the suitability
* of this software for his/her particular application, and for any damages
* arising from the use of said software. The recipient shall in no event
* hold Michael J. Maciolek or the Massachusetts Institute of Technology or
* MIT/Lincoln Laboratory liable for any damages arising from the use of
* this software.
*
*/
/*
* That ought to keep the lawyers happy! :-)
*/
#include <sys/param.h>
#include <errno.h>
#define MAGIC 15
#define SERVER "servername"
#define SHELL "/bin/csh"
main(argc,argv,envp)
int argc;
char *argv[],*envp[];
{
int rv,i,glist[NGROUPS],hostname[MAXHOSTNAMELEN];
/* what is my hostname? */
rv = gethostname(hostname,MAXHOSTNAMELEN);
if (rv < 0) {
perror("gethostname");
exit(errno);
}
/* of which groups am I a member? */
rv = getgroups(NGROUPS,glist);
if (rv < 0) {
perror("getgroups");
exit(errno);
}
/* See if one of my groups is the MAGIC group */
for (i=0; i<rv; i++)
if (glist[i] == MAGIC)
break;
/*
* If this is not the server, or if I am in the privileged group, permit
* the login to proceed. Else, reject the login attempt.
*/
if ((strcmp(SERVER,hostname)!=0) || (i<rv)) {
rv = execve(SHELL,argv,envp);
perror("execve");
} else {
printf("You are not authorized to login to this machine\n");
}
}
/*---------------------cut here--------------------------------------------*/
More information about the Comp.sys.sun
mailing list