I am still looking for a more solutions to this. No one seems to have seen
or remember this question or summary from the dusty past. I have still been
thwarted in finding an answer in the archives. Anyway, I am posting the
information that came my way. I see several possible solutions if I had a single
login file that everyone used and could not edit, but that's not the case here.
Thanks for the information so far and if anyone can think of anything to add
I am certainly open for more. (There many "Me too's" so idea's are needed).
Original Query:
===============
>I saw a question similar to this many moons ago. (The gopher archives for
>1993 appear to be hosed at the moment). I have checked my archive and the recent
>archives to no avail. Can someone send me the answer (or previous summary) for
>the following question:
>
> When a user logs in, if the HOME directory is not accessible the
> default reaction is to kick that user into "/"(root dir). This is
> undesirable. I would like to just not allow login in this case. How
> is the bet way to go about this? What are the options etc...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Darrell Root had some wise words of caution!! (see last included message)
The best solution came from Stephen Dowdy. This is the one I am implementing for
now to play with (I am not so kind as Stephen :}) ::
Some systems will not let you login at all (i personally find this
exceedingly painful when i'm trying to login to fix something). However,
on at least 4.x SunOS, when you login, the .login or .cshrc will be read
even if owned by root (and world readable) contrary to the manual page
(don't remember which, you'll have to poke it). Thus you can do some
conditional code like:
...
onintr login_anyway
if ( `whoami` != "root" ) then
echo "Urf, Your home directory is not accessible,"
echo "Press ^C to login anyway or your login will be dropped..."
sleep 5
logout
endif
login_anyway:
echo "you've been warned...."
exit
...
in whichever file it is and make sure the files .login and .cshrc are
owned by root and of course not writable, but readable, by world. (you can
view this as a security issue if you like)
---------------- Other replies -----------------
Dave Glosser
From: glosser@bbdo.com
>
>I know this isn't a foolproof answer, but this is what I set up:
>(All users are running sunos 4.1.3; c shell)
>I have the /.login source a program called ".rootcheck"
>This program contains the lines:
>if `whoami` == root then
> {it's ok, print welcome messages, etc.}
>else
> {bummer; echo all sorts of messages, mail to root, etc}
> logout
>endif
>
>I know this isn't foolproof, users can break out of it, etc.
>One of these years I may make it a c program.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
From: raoul@MIT.EDU
>
>Use tcsh: Put in /etc/csh.login something that logs them out if they
>don't have a home directory.
>
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
From: vasey@issi.com (is this SLOWlaris stuff?? - ed. :)
>
>On some of our restricted subnets where a user has limited visiting privileges
>(and no home directory), we use the wildcard entry in auto.home to shunt him
>off into a general purpose holding pen (usually server:/export/home/homeless).
>
>Works great when there's not an explicit entry for the user; however, I don't
>know if the automounter (assuming you're using it ;^) would default to the
>wildcard after timing out on a user entry. Might be worth a try ...
>
>++ Ron vasey@issi.com International Software Systems Peace! ++
> 1+512+338-5724 9430 Research, Austin TX 78759 <><
>
>
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
From: herbert@acstwo.gn.paramax.COM (Marc L. Herbert)
>
>I haven't tried this myself, but looking at a typical /etc/passwd entry shows:
>
>sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
>
>and
>
>herbert:password:101:140:Marc L. Herbert:/home/enterprise/herbert:/bin/csh
>
>
>The last field, /usr/diag/sundiag/sundiag in this case, is the name of the
>program to run upon login. It is normally set to /bin/csh when a user logs in,
>such as myself. You might try changing the last field to the name of a
>shell script you write, e.g, /etc/checku_home_dir, that checks for
>the existence of the user's home directory (given in the penultimate field
>on the password entry), and if it is seen, then start a /bin/csh process, or
>else exit with a suitable message.
>
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
From: sven@wells.nrl.navy.mil (Sven Heinicke)
>
>umm, well if there is not better way to do it you could just put
>something in /.profile or /.cshrc for every shell people use and have
>it check to see if the user is root, if not log that person out.
>
>I, however, am not sure if it would actually run the .cshrc in / if
>~ didn't exist. Try doing an experment.
>
> Sven
>
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
From: rootd@ohsu.EDU (Darrell Root)
>
>A warning: If logins are disabled if you can't access the home directory, and
>your console is secure (so you can't log in on the console as root---you need
>to login to another user) then if you lose the user's drive/partition you won't
>be able to login as root without dropping the machine to single-user mode.
>
>If you've remapped L1-A on the console, this may not be a trivial task. Even
>with L1-A still enabled, hitting L1-A is not pretty...
>
>I have an operator account, with / as home directory, in group wheel to avoid
>the problem.
>
>Darrell Root
>rootd@ohsu.edu
-------------------------------------------------------------------------------
Thanks to all who responded. Still interested if anyone has more.
Thanks;
-Jim
-------------------------------------------------------------------------------
Jim Murff (murff@irt.com) Voice # (619)622-8878
IRT Corp, San Diego, CA. Corp # (619)450-4343
UNIX System Software Engineer/System Admin. Fax # (619)622-8888
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:59 CDT