Summary of How to disallow selected users access to selected machines

From: Alexander Bachmann (et11ltab@sbusol.rz.uni-sb.de)
Date: Fri Apr 16 1993 - 06:19:10 CDT


Thanks to all, who replied to my query, especially to Frank Kardel
(kardel@informatik.uni-erlangen.de) and John W. Stewart
(stewart@cis.udel.e).

As was mentioned in most responses, the best way to exclude some users
from a machine is the +(-)user or +(-)@netgroup feature described
is passwd(5) and netgroup(5).
A description in great detail is given
in the book 'Managing NIS and NFS' by Hal Stern publisher by O'Reilly &
Associates, Inc.
By this means the global password file can be kept centralized by NIS.

The way we will manage things, is to end local password files with:
+@restricted-group:*:0:0:::/usr/local/sh/no-access
+::0:0:::
When a programm accesses /etc/passwd, it checks the entries one after
the other (!!) to find a matching entry.
So when user joe-doe, who is member of the netgroup restricted-group ,
tries to log into the machine, /etc/passwd is checked until this line,
where a matching entry is found.
The shell /usr/local/sh/no-access then gives joe-doe a short message
like 'no access granted' and exits.
The last line appends the NIS passwd map to the client's passwd file.
This can be made, because any routine that reads /etc/passwd,
stops parsing after the first matching entry.
We don't remove remove the NIS passwd entries for users with -user
(or -@netgroup) because this will cause trouble with email, when a
user is not known on the mail-server.
Please correct me, if I made any mistake.
Thanx again,
Alex
+----------------------------------------------------------------------+
| Diplom Ingenieur Alexander Bachmann |
| Universitaet des Saarlandes | Tel. ++49/681/3023576 |
| Lehrstuhl fuer Mikroelektronik | Fax 2678 |
| D-6600 Saarbruecken | E-mail bachmann@ee.uni-sb.de |
+----------------------------------------------------------------------+



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:45 CDT