Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!uwvax!oddjob!gargoyle!ihnp4!ihlpa!kai From: kai@ihlpa.ATT.COM (Irwin) Newsgroups: comp.unix.questions Subject: Re: Disabling logins under System V Message-ID: <4665@ihlpa.ATT.COM> Date: Fri, 17-Jul-87 19:54:40 EDT Article-I.D.: ihlpa.4665 Posted: Fri Jul 17 19:54:40 1987 Date-Received: Sat, 18-Jul-87 17:49:39 EDT References: <905@woton.UUCP> Organization: AT&T Bell Laboratories - Naperville, Illinois Lines: 81 Summary: I wouldn't play with passwd on a 3B15! In article <905@woton.UUCP>, riddle@woton.UUCP writes: > I am looking for some advice about the preferred way to temporarily > disable all user logins under System V. What I want is something > analogous to the BSD "/etc/nologin" file (or is that what it's really > called? I can't remember): I want to run in multi-user mode but allow > only root to log in. Furthermore, I want a simple, reversible solution > that can be run by the person who comes in on weekends to do our > backups. > > The first thing that occurs to me is to whip up a shell script to copy > /etc/passwd to a safe place, then substitute a modified version of it > in which an '*' has been inserted in the password field of every login > except for root. Running the same script with a flag would reverse the > process. Obviously this script would have to be *highly* reliable. > Has anyone by any chance written such a script which they know has been > working for some time with no problems? > > Another alternative would be to do the same sort of script, but have it > install an altered version of /etc/inittab instead of /etc/passwd, thus > disabling logins on all lines but /dev/console. That might be safer, I > guess (or would it be?). > > Am I missing something? Is there a more straightforward approach? (We > are running System V Release 2.1.1 Version 1 on a 3B15, if it matters.) > > --- Prentiss Riddle ("Aprendiz de todo, maestro de nada.") > --- Opinions expressed are not necessarily those of Shriners Burns Institute. > --- riddle@woton.UUCP {ihnp4,harvard,seismo}!ut-sally!im4u!woton!riddle If you've ever delt with a 3B15 (or 3B5) with a hosed passwd file, I dout you'd be to quick to play around with this, Its a real pain in the !#$! If you only play around with the last half of inittab you are relitively safe (after the console gets respawned). I've delt with this problem alot and have used several solutions including the /etc/inittab one (passwd one seemed a tad risky especially if the initdefault is set to multi user) anyway two SAFE solutions to the problem are: 1) a login id screener placed in /etc/profile that screens the logins and only lets root on. Since root is console bound as a primary login this solves the problem. Could be somthing like: if test LOGNAME != root then echo "Machine not available for general use, sorry" exit fi this not only locks out other terminals but other login ids as well. 2) if the intent is just to lock out other terminals than you can define another init level that is multi user but console only so in inittab you would define ports as: co:1234:respawn:/etc/getty console console ct:2:respawn:/etc/getty contty contty 001:2:respawn:/etc/getty tty001 9600 so that console would be respawned at init level 3 and 4 and other ports would not, you can also only turn on SOME ports allowing say hardwired access but not dial-up access. So when you came up to init level 2 you would just go to init level 3 or 4 for the disired system configuration. (Note on a 3b15 these (3 and 4) are the only 2 available "user defineable init levels" 1 is single user mode, 2 is multi user, 5 is firmware, and 6 is system reboot) I hope this helps I've used both (actually the first one to only allow "machine" access (ie:nuucp only) on certain ports to control network traffic) and the second for stand alone performance testing. Ken A. Irwin AT&T Bell Labs, Naperville IHP 1A332 (312) 416-4485