In article <200505071318.57999.mailinglists@vanscherpenseel.nl>,
Vincent van Scherpenseel  <mailinglists@vanscherpenseel.nl> wrote:
>On Saturday 07 May 2005 13:11, Wojciech Puchar wrote:
>> >> but su - <any account in guest class> does work while it shouldn't
>> >>
>> >> su(1) manual looks like su should respect it.
>> >>
>> >> where is a problem?
>> >
>> > I don't know, but what about creating a wheel group and only adding users
>> > who are allowed to do a su to that list?
>>
>> see this please:
>>
>> wojtek@hel$ id
>> uid=1064(wojtek) gid=100(users) groups=100(users)
>> wojtek@hel$ su - guest01
>> guest01@hel$ id
>> uid=1095(guest01) gid=31(guest) groups=31(guest)
>>
>>
>> in /etc/master.passwd:
>>
>> guest01::1095:31:guest:0:0::/home/guest/guest01:/bin/ksh
>>
>> in login.conf:
>>
>> admin|root:memoryuse=2000M:datasize=2000M:maxproc=3000:coredumpsize=0
>> guest|Goscie do X terminali:nologin=/etc/xterm.txt
>> default|default:memoryuse=128M:datasize=64M:maxproc=20:coredumpsize=0
>>
>>
>> and this:
>>
>> wojtek@chylonia$ telnet hel.org.pl
>> Trying 2001:4070:101:1:200:eff:fed9:8d5d...
>> Connected to hel.org.pl.
>> Escape character is '^]'.
>>
>> NetBSD/i386 (hel.org.pl) (ttyp1)
>>
>> login: guest01
>> To konto jest wylacznie do uzytku z ogolnodostepnych terminali
>> graficznych.
>>
>>
>> so with telnet it's OK. same with console login and ssh but NOT su.
>>
>> any idea?
>
>How about setting the default shell for guests in /etc/passwd to /bin/false?

While there are many ways to achieve the intended goal, the behavior described
above definitely a bug. Wojtek, please open a PR.

christos