Re: [ot] how to create a user that can't log in?

To: debian-security@lists.debian.org
Subject: Re: [ot] how to create a user that can't log in?
From: Nathan E Norman <nnorman@micromuse.com>
Date: Sun, 20 Jan 2002 14:05:44 -0600
Message-id: <[🔎] 20020120200544.GA24976@micromuse.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3C4B0EF4.CC40C5B1@agni.phys.iit.edu>
References: <[🔎] Pine.LNX.3.96.1020120100108.27217A-100000@Maggie.Linux-Consulting.com> <[🔎] 3C4B0EF4.CC40C5B1@agni.phys.iit.edu>

No, it's not the right way.  The daemons need to run as the project
user, not the individual user.

I know how to set up groups, permissions, etc. ... been doing that for
several years now.

What I'm wondering is if PAM or some other mechanism can be used to
prevent a user from logging in via a network connection.  It looks
like people here don't know; that's fine, I'll continue researching.

On Sun, Jan 20, 2002 at 01:39:48PM -0500, David Ehle wrote:
> LOL, talk about not seeing the forest for the tree's... Yeah. Do it the
> way he says. Its the "right" way of doing something like that.
> 
> David.
> 
> Alvin Oga wrote:
> > 
> > hi ya nathan
> > 
> > create a group "proj"
> > 
> > add tom, dick, harry to belong to the proj group ( /etc/group )
> >         - those NOT listed in proj will NOT be able to do anything
> > 
> > make sure /home/project is  owned by projectmanager and group proj
> > make sure its chmod 775 or chmod 770 for /home/project
> > 
> > make sure the shell for projectmanager is /dev/null ( no login shell )
> > 
> > each user ( tom, dick, harry ) can all run
> >         /home/project/scripts/start-me-up.sh
> >   w/o having to be projectmanager
> > 
> > -- i claim there is no point to having a login account projectmanager/user
> >    if everybody can login into it... why bother ???
> >         - you'd want to know who made the changes ... ( tom, dick, harry )
> > 
> > c ya
> > alvin
> > 
> > On Sun, 20 Jan 2002, Nathan E Norman wrote:
> > 
> > > Hi,
> > >
> > > I'm setting up a project for some friends.  I want each of them to
> > > have their own account, but I want the project to be hosted (and run
> > > under) a seperate account.  Each user should be able to su to the
> > > project account to restart daemons.  No user should be able to log in
> > > as the project user.
> > >
> > > How do I set this up?  Is it possible?
> > 
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Ltd.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgpbfZ1Zuky4O.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [ot] how to create a user that can't log in?
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
- Re: [ot] how to create a user that can't log in?
  - From: martin f krafft <madduck@madduck.net>

References:
- Re: [ot] how to create a user that can't log in?
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
- Re: [ot] how to create a user that can't log in?
  - From: David Ehle <ehle@agni.phys.iit.edu>

Prev by Date: Re: [ot] how to create a user that can't log in?
Next by Date: Re: [ot] how to create a user that can't log in?
Previous by thread: Re: [ot] how to create a user that can't log in?
Next by thread: Re: [ot] how to create a user that can't log in?
Index(es):
- Date
- Thread