From 700156f94b92227599d39485e548f1948a3b6aaf Mon Sep 17 00:00:00 2001 From: mpp Date: Fri, 14 Mar 1997 02:37:27 +0000 Subject: Add some text regarding security issues when using a shell script as the login shell. Closes PR# 2978. --- share/man/man5/passwd.5 | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'share/man/man5/passwd.5') diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5 index 82dc240..db605da 100644 --- a/share/man/man5/passwd.5 +++ b/share/man/man5/passwd.5 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 -.\" $Id: passwd.5,v 1.13 1997/03/12 13:46:16 mpp Exp $ +.\" $Id: passwd.5,v 1.14 1997/03/12 14:05:36 mpp Exp $ .\" .Dd September 29, 1994 .Dt PASSWD 5 @@ -172,6 +172,17 @@ If there is nothing in the field, the Bourne shell .Pq Pa /bin/sh is assumed. +For security reasons, if the shell is set to a script that disallows +access to the system (the +.Xr nologin 8 +script, for example), care should be taken not to import any environment +variables. With +.Xr sh 1 , +this can be done by specifying the +.Fl p +flag. +Check the specific shell documentation to determine how this is +done with other shells. .Sh YP/NIS INTERACTION .Ss Enabling access to NIS passwd data The system administrator can configure FreeBSD to use NIS/YP for @@ -222,7 +233,7 @@ file): +@rejected-users::32767:32767::::::/bin/false .Ed -Specific usernames are listed explicitly while netgroups are signfied +Specific usernames are listed explicitly while netgroups are signified by a preceding `@'. In the above example, users in the ``staff'' and ``permitted-users'' netgroups will have their password information read from NIS and used unaltered. In other words, they will be allowed @@ -297,6 +308,8 @@ that prints a message telling the user that he is not allowed access to the system. This technique is sometimes useful when it is desirable to have the system be able to recognize all users in a particular NIS domain without necessarily granting them login access. +See the above text on the shell field regarding security concerns when using +a shell script as the login shell. .Pp The primary use of this .Pa override -- cgit v1.1