SUMMARY: netgroup / passwd

From: beig@FRULM63.BITNET
Date: Tue Nov 19 1991 - 01:29:38 CST

>> I was just asked to enforce security on our network by selecting
>> users on hosts. I thought using the +@ / -@ feature in /etc/passwd.
>> And I did:
>> tail /etc/passwd
>> sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdi
>> sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
>> -@u_students:
>> +::::::
>> Since the manual pages passwd(5) says:
>> -@netgroup means
>> to disallow any subsequent entries for all members of the
>> network group netgroup.
>> I thought that no students can log in this host.(because of the word
>> "subsequent"). But it fails. Why?
1. Some people told me this is a reverse order: I disallow students,
then I allow everyone. So they told me to write:
It doesn't work.
2. Some people told:
I didn't test this. But doing this, people have
an account, of course with no login/rlogin/telnet.
But there are a lot of ways to execute commands: .forward,
rsh, on, ftp, etc. (yes, I know how to protect these first 4
but not how to protect the fifth...)
3. AN ANSWER IS to set a regular passwd line:
Without the two '0', it doesn't work.
It's not quite normal because to allow people you just
have to say:
So there is a dissymetry between allowing/disallowing.
And DEC/Ultrix undertand the short form (-@u_students:).
So I think there is a bug...
Thanks to:
  --Jacques Beigbeder

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:16 CDT