On Saturday 07 May 2005 13:11, Wojciech Puchar wrote:
> >> but su - <any account in guest class> does work while it shouldn't
> >>
> >> su(1) manual looks like su should respect it.
> >>
> >> where is a problem?
> >
> > I don't know, but what about creating a wheel group and only adding users
> > who are allowed to do a su to that list?
>
> see this please:
>
> wojtek@hel$ id
> uid=1064(wojtek) gid=100(users) groups=100(users)
> wojtek@hel$ su - guest01
> guest01@hel$ id
> uid=1095(guest01) gid=31(guest) groups=31(guest)
>
>
> in /etc/master.passwd:
>
> guest01::1095:31:guest:0:0::/home/guest/guest01:/bin/ksh
>
> in login.conf:
>
> admin|root:memoryuse=2000M:datasize=2000M:maxproc=3000:coredumpsize=0
> guest|Goscie do X terminali:nologin=/etc/xterm.txt
> default|default:memoryuse=128M:datasize=64M:maxproc=20:coredumpsize=0
>
>
> and this:
>
> wojtek@chylonia$ telnet hel.org.pl
> Trying 2001:4070:101:1:200:eff:fed9:8d5d...
> Connected to hel.org.pl.
> Escape character is '^]'.
>
> NetBSD/i386 (hel.org.pl) (ttyp1)
>
> login: guest01
> To konto jest wylacznie do uzytku z ogolnodostepnych terminali
> graficznych.
>
>
> so with telnet it's OK. same with console login and ssh but NOT su.
>
> any idea?

How about setting the default shell for guests in /etc/passwd to /bin/false?

 - Vincent van Scherpenseel