Bug#298782: RFP: [SECURITY] nologin -- More secure /bin/false alternative with syslog support
Package: wnpp
Severity: wishlist
* Package name : nologin
Version : 1.6
Upstream Author : LI Xin (*)
* URL : http://cvsup.pt.freebsd.org/cgi-bin/cvsweb/cvsweb.cgi/src/usr.sbin/nologin/nologin.c
* License : BSD
Description : More resure /bin/false alternative with syslog support
(Include the long description here.)
The /bin/false in Debian[1] does not provide logging capabilities.
There seems to be FreeBSD port if the Titan[2] framework to use
/bin/nologin instead which provides syslog support.
The code is available at FreeBSD's CVS web page. Below slightly modified
and tested code for Debian. The /var/log/auth.log reads:
Mar 10 00:16:35 host nologin: Attempted login by UNKNOWN on /dev/pts/6
Jari
[CODE]
/*-
* Copyright (c) 2004 The FreeBSD Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
/* __FBSDID("$FreeBSD: src/usr.sbin/nologin/nologin.c,v 1.6 2005/01/04 20:07:12 delphij Exp $"); */
#include <stdio.h>
#include <syslog.h>
#include <unistd.h>
#define MESSAGE "This account is currently not available.\n"
int
/* main(__unused int argc, __unused char *argv[]) */
main(int argc, char *argv[])
{
const char *user, *tt;
if ((tt = ttyname(0)) == NULL)
tt = "UNKNOWN";
if ((user = getlogin()) == NULL)
user = "UNKNOWN";
openlog("nologin", LOG_CONS, LOG_AUTH);
syslog(LOG_CRIT, "Attempted login by %s on %s", user, tt);
closelog();
printf("%s", MESSAGE);
return 1;
}
[REFERENCES]
(*) CVS updater delphij's homepage. There is Email contact form
http://www.delphij.net/
[1] coreutils-5.2.1/src/false.c examined
[2] "TITAN 4.0 for Linux". Original idea falls to Titan project's
nologin.c which includes description:
... noshell.c This is the preferred way of doing a noshell. This
should be statically compiled (see Titan.v4.0/src1/Makefile.linux) and
should replace the shell script that disable-accounts.sh placed in
/usr/sbin/noshell.
Also mentioned in book "Hardening Linux (2005)" by James Turnbull,
p. 21 "hardening basics":
... If the default shell points to a nonexistent file, then the user will be unable to log in ... On Debian systems /bin/false is used. On more recent versions of distributions these login shells have been binaries with the sole function of flogging error messages tot syslog and exiting without allowing a login to the system.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US)
Reply to: