ORIGINAL QUESTION:
> I am the sys admin at a Univ. and it seems freshman like to change
> their gecos info to lame or obscene things. is there a way to >
> disable that?
> i have noticed that chsh chfn and passwd are the same program
> and by getting rid of chfn, users are still able to use passwd -f
> im running c2 security if that helps*shurg*
1. unlink /usr/bin/chfn and edit the binary for /usr/bin/passwd
with something like emacs or something that can handle binaries
find the "fs" string which is passed to getopt and change it
from fs to ss to disallow finger changes.
(if one does this a user can link passwd to chfn and still change
their gecos info)
2. make all of those programs owned by user security, group security
(or something like that). depermit everyone but the owner from
running those programs. write a c wraper script which will setuid
to that user and run passwd with ONLY the flags that you allow --
explain that -f is disabled. chown it to security, group security,
chmod the sticky bit on it.
3. Gecos is kept in /etc/passwd, only root writable. Passwd is setuid
to root. the passwords are writable by auth. if you change the
passwd's program to setuid auth, users should be able to change
their passwd, but not their gecos, becaus auth can't write to /etc/
passwd. sounds good on paper, but doesn't seem to work.
4. If you are running NIS, you can run yppasswdd on the server with the
nogecos flag, which disabled the ability of users to chane anything
except their password.
/usr/sbin/rpc.yppasswdd /var/yp/src/passwd -nogecos -m passwd
5. replace passwd/chfn/chsh with a different program
maybe npasswd 2.0(when released) or ANLpasswd
(will these work with C2 security?)
6. move passwd and replace it with a "wrapper" that disables chfn and
-f options, then calls the original. Works until a hacker type
finds the original.
The best solution in my opinion is to get the source code from DEC and
recompile it without the chfn options but I don't know how to do that one.
anyone?
thanks to:
Sheila Hollenbaugh <shollen_at_valhalla.cs.wright.edu>
Don Newcomer <newcomer_at_dickinson.edu>
Terry McIntyre <tm_at_switch.com>
Daniel Eisenbud <eisenbud_at_condor.sccs.swarthmore.edu>
Tom <tom_at_homer.bus.miami.edu>
Jon Buchanan <Jonathan.Buchanan_at_ska.com>
Craig I. Hagan <hagan_at_ttgi.com>
Spider Boardman <spider_at_orb.nashua.nh.us>
Received on Thu Jan 25 1996 - 05:44:12 NZDT