[ On Tuesday, February 3, 2004 at 12:32:42 (-0800), Rick Genter wrote: ]
> Subject: RE: CVS security question
>
> It's probably more secure to set their shell to something that does
> exist but won't function as a shell, like /dev/null or
> /bin/false.
Well it depends on how obscure you make the "fake" name, but no, that's
usually not really any more secure.
However it's a good idea to use a small binary program that simply
prints an error message, and perhaps logs the event.
Even a little shell script that doesn't ever accept any input from the
tty is secure enough:
#! /bin/sh
: ${USER:-UNKNOWN}
logger -i -s -p auth.info -t $0 "The $USER account is currently not available
from `tty`."
exit 1
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]> Secrets of the Weird <[EMAIL PROTECTED]>
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
