Thanks much to all the following that answered my question:
Jan Mark Holzer
Ken Brown
Allan E Johannesen
Nestor Ruiz
Jerome M Berkman
Andrew Moar
My original message was:
I have to disable changing finger information on my server. I thought that
changing rights to chfn would be enough, but there is still a possibility
to change finger information by passwd -f. Have you any idea how to solve
this problem?
A common answer was to rewrite passwd command and disable -f option.
Andrew Moar sent me whole C source of new passwd ( it works pretty good )
with clear explanation - so I attached it to the letter.
An interesting idea sent me Jan Mark Holzer. He proposed that to edit
/etc/sia/matrix.conf and to specify a non-existent library for the
sia_chg_finger call. It might work, but i haven't tested it.
Thanks to all!
Maciej Baranowski ( bmaciej_at_venus.wmid.amu.edu.pl )
( root_at_venus.wmid.amu.edu.pl )
/**********************************************************************/
/* */
/* NAME: passwd.c */
/* */
/* PROGRAMMER: Richard Jackson DATE: 940509 */
/* */
/* PURPOSE: Wrapper for passwd to prevent 'passwd -f' invocation. */
/* Of course, chfn will have to be disabled. */
/* */
/* NOTES: */
/* To execute: */
/* 1. passwd [...] */
/* */
/* To build under ULTRIX: */
/* 1. cc -O -mips3 -o passwd passwd.c (ULTRIX 4.3a) */
/* 1. cc -O -non_shared -o passwd passwd.c (OSF/1 3.0) */
/* 2. strip passwd */
/* 3. mv passwd /usr/bin/ (755 root.system) */
/* */
/* */
/* MODIFICATION HISTORY: */
/* DATE MOD NAME DESCRIPTION */
/* */
/* 940509 AAA rjackson initial version */
/* 940831 AAB rjackson check if TRUE and FALSE are defined first*/
/* */
/**********************************************************************/
#include <limits.h> /* ARG_MAX */
#include <stdio.h> /* sprintf() */
#include <string.h> /* strcmp() */
#include <stdlib.h> /* exit() */
#define PASSWD "/usr/bin/passwd.dist" /* real passwd command */
#ifndef TRUE
#define TRUE 1;
#endif
#ifndef FALSE
#define FALSE 0;
#endif
main(int argc, char *argv[])
{
int i, j; /* counter */
int len; /* length of argument */
int good; /* flag for good argument */
char cmd[ARG_MAX]; /* command for real passwd */
/*
* setup for appropriate command.
*/
if (strstr(argv[0], "chfn") != (char *) NULL)
{
printf("Sorry, chfn has been disabled since its use may adversely\n");
printf(" affect email delivery. Finger information changes are not\n");
printf(" permitted. Use a .plan file in your home area as an\n");
printf(" alternative method.\n");
exit(1);
}
else if (strstr(argv[0], "chsh") != (char *) NULL)
sprintf(cmd, "%s -s ", PASSWD);
else
sprintf(cmd, "%s ", PASSWD); /* assume passwd command */
for (i = 1; i < argc; i++) /* construct real command */
{
if (strcmp(argv[i], "-f") == 0) /* disable -f */
{
printf("Sorry, -f has been disabled since its use may adversely\n");
printf(" affect email delivery. Finger information changes are not\n");
printf(" permitted. Use a .plan file in your home area as an\n");
printf(" alternative method.\n");
exit(1);
}
else /* append arg[i] to command */
{
len = strlen(argv[i]);
good = TRUE;
for (j = 0; j < len; j++) /* check for safe system call */
if (!(isalnum(argv[i][j]) || argv[i][j] == '-'))
{
good = FALSE;
break;
}
if (good) /* check if argument is ok */
{
strcat(cmd, argv[i]); /* concat argument */
strcat(cmd, " ");
}
}
} /* for */
system(cmd);
} /* main() */
-------------------->8---------------->8-------------------->8-------------
- osf1: install passwd wrapper and disable chfn capability
disable 'chfn' and 'passwd -f'. Reason -
"chfn has been disabled since its use may adversely
affect email delivery. Finger information changes are not
permitted. Use a .plan file in your home area as an
alternative method."
1. cd /usr/bin
2. mv passwd passwd.dist
3. chmod 4710 passwd.dist (from 4711 root.bin)
chown root.system passwd.dist
4. mv ~/util/passwd/passwd .
5. chmod 2711 passwd
chown root.system passwd
6. rm chsh chfn
7. ln passwd chfn
8. ln passwd chsh
Received on Tue May 26 1998 - 13:38:32 NZST