Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!uwvax!oddjob!gargoyle!ihnp4!ihlpa!kai
From: kai@ihlpa.ATT.COM (Irwin)
Newsgroups: comp.unix.questions
Subject: Re: Disabling logins under System V
Message-ID: <4665@ihlpa.ATT.COM>
Date: Fri, 17-Jul-87 19:54:40 EDT
Article-I.D.: ihlpa.4665
Posted: Fri Jul 17 19:54:40 1987
Date-Received: Sat, 18-Jul-87 17:49:39 EDT
References: <905@woton.UUCP>
Organization: AT&T Bell Laboratories - Naperville, Illinois
Lines: 81
Summary: I wouldn't play with passwd on a 3B15!

In article <905@woton.UUCP>, riddle@woton.UUCP writes:
> I am looking for some advice about the preferred way to temporarily
> disable all user logins under System V.  What I want is something
> analogous to the BSD "/etc/nologin" file (or is that what it's really
> called?  I can't remember): I want to run in multi-user mode but allow
> only root to log in.  Furthermore, I want a simple, reversible solution
> that can be run by the person who comes in on weekends to do our
> backups. 
> 
> The first thing that occurs to me is to whip up a shell script to copy
> /etc/passwd to a safe place, then substitute a modified version of it
> in which an '*' has been inserted in the password field of every login
> except for root.  Running the same script with a flag would reverse the
> process.  Obviously this script would have to be *highly* reliable. 
> Has anyone by any chance written such a script which they know has been
> working for some time with no problems? 
> 
> Another alternative would be to do the same sort of script, but have it
> install an altered version of /etc/inittab instead of /etc/passwd, thus
> disabling logins on all lines but /dev/console.  That might be safer, I
> guess (or would it be?). 
> 
> Am I missing something?  Is there a more straightforward approach?  (We
> are running System V Release 2.1.1 Version 1 on a 3B15, if it matters.)
> 
> --- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
> --- Opinions expressed are not necessarily those of Shriners Burns Institute.
> --- riddle@woton.UUCP  {ihnp4,harvard,seismo}!ut-sally!im4u!woton!riddle

If you've ever delt with a 3B15 (or 3B5) with a hosed passwd file, I dout
you'd be to quick to play around with this, Its a real pain in the !#$!
If you only play around with the last half of inittab you are relitively
safe (after the console gets respawned). 

I've delt with this problem alot and have used several solutions including the
/etc/inittab one (passwd one seemed a tad risky especially if the initdefault
is set to multi user) anyway two SAFE solutions to the problem are:

	1) a login id screener placed in /etc/profile that screens the logins
	   and only lets root on. Since root is console bound as a primary
	   login this solves the problem. Could be somthing like:

		if test LOGNAME != root
			then
			echo "Machine not available for general use, sorry"
			exit
		fi

	   this not only locks out other terminals but other login ids as 
	   well.

	2) if the intent is just to lock out other terminals than you can
	   define another init level that is multi user but console only
	   so in inittab you would define ports as:

		co:1234:respawn:/etc/getty console console
		ct:2:respawn:/etc/getty contty contty
		001:2:respawn:/etc/getty tty001 9600

	   so that console would be respawned at init level 3 and 4 and
	   other ports would not, you can also only turn on SOME ports
	   allowing say hardwired access but not dial-up access. So
	   when you came up to init level 2 you would just go to init
	   level 3 or 4 for the disired system configuration. (Note
	   on a 3b15 these (3 and 4) are the only 2 available "user defineable
	   init levels" 1 is single user mode, 2 is multi user, 5 is firmware,
	   and 6 is system reboot)

I hope this helps I've used both (actually the first one to only allow "machine"
access (ie:nuucp only) on certain ports to control network traffic) and the 
second for stand alone performance testing.

Ken A. Irwin
AT&T Bell Labs, Naperville
IHP 1A332 
(312) 416-4485