Package: wnpp Severity: wishlist
* Package name : nologin Version : 1.6 Upstream Author : LI Xin (*) * URL : http://cvsup.pt.freebsd.org/cgi-bin/cvsweb/cvsweb.cgi/src/usr.sbin/nologin/nologin.c * License : BSD Description : More resure /bin/false alternative with syslog support (Include the long description here.) The /bin/false in Debian[1] does not provide logging capabilities. There seems to be FreeBSD port if the Titan[2] framework to use /bin/nologin instead which provides syslog support. The code is available at FreeBSD's CVS web page. Below slightly modified and tested code for Debian. The /var/log/auth.log reads: Mar 10 00:16:35 host nologin: Attempted login by UNKNOWN on /dev/pts/6 Jari [CODE] /*- * Copyright (c) 2004 The FreeBSD Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include <sys/cdefs.h> /* __FBSDID("$FreeBSD: src/usr.sbin/nologin/nologin.c,v 1.6 2005/01/04 20:07:12 delphij Exp $"); */ #include <stdio.h> #include <syslog.h> #include <unistd.h> #define MESSAGE "This account is currently not available.\n" int /* main(__unused int argc, __unused char *argv[]) */ main(int argc, char *argv[]) { const char *user, *tt; if ((tt = ttyname(0)) == NULL) tt = "UNKNOWN"; if ((user = getlogin()) == NULL) user = "UNKNOWN"; openlog("nologin", LOG_CONS, LOG_AUTH); syslog(LOG_CRIT, "Attempted login by %s on %s", user, tt); closelog(); printf("%s", MESSAGE); return 1; } [REFERENCES] (*) CVS updater delphij's homepage. There is Email contact form http://www.delphij.net/ [1] coreutils-5.2.1/src/false.c examined [2] "TITAN 4.0 for Linux". Original idea falls to Titan project's nologin.c which includes description: ... noshell.c This is the preferred way of doing a noshell. This should be statically compiled (see Titan.v4.0/src1/Makefile.linux) and should replace the shell script that disable-accounts.sh placed in /usr/sbin/noshell. Also mentioned in book "Hardening Linux (2005)" by James Turnbull, p. 21 "hardening basics": ... If the default shell points to a nonexistent file, then the user will be unable to log in ... On Debian systems /bin/false is used. On more recent versions of distributions these login shells have been binaries with the sole function of flogging error messages tot syslog and exiting without allowing a login to the system. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
