shahryar@sfsuvax1.SFSU.EDU (Persian Nightmare) (03/30/91)
Dear all, In chfn, could I turn off the ability to change the REAL name unless done bye a superuser?? How is it possible?? Thanks, Shahryar -- 'How weary, stale, flat, and unprofitable Seem to me all the uses of this world! Fie on't, ah fie, fie! 'Tis an unweeded garden That grows to seed; things rank and gross in nature Possess it merely.' Hamlet--Act I--scene ii
teexand@ioe.lon.ac.uk (Andrew Dawson) (04/04/91)
In <SHAHRYAR.91Mar29123159@sfsuvax1.sfsu.edu> shahryar@sfsuvax1.SFSU.EDU (Persian Nightmare) writes: >In chfn, could I turn off the ability to change the REAL name unless done >bye a superuser?? How is it possible?? This may be a bit difficult without source code changes. You might be able to disable the chfn command entirely just by changing its permissions. Note, however, on some systems that chfn, chsh and passwd are all links to the same binary, so a user might still be able to use passwd -f if you disable chfn. -- Andrew Dawson, Computer Centre, University College London, Gower Street, London WC1E 6BT, England. JANET: ccaaand@uk.ac.ucl EARN/BITNET: ccaaand@ucl.ac.uk INTERNET: ccaaand%ucl.ac.uk@nsfnet-relay.ac.uk UUCP: ...!ukc!ucl.ac.uk!ccaaand
jik@athena.mit.edu (Jonathan I. Kamens) (04/04/91)
In article <SHAHRYAR.91Mar29123159@sfsuvax1.sfsu.edu>, shahryar@sfsuvax1.SFSU.EDU (Persian Nightmare) writes: |> In chfn, could I turn off the ability to change the REAL name unless done |> bye a superuser?? How is it possible?? Get a the sources to a version of passwd/chfn/chsh and recompile it after modifying it to restrict as you want. There are several versions floating around the net. There's probably also code in /bsd-sources on ftp.uu.net, or on many other sites. You might also want to check out /pub/npasswd or /pub/mnt/source/ut/npasswd (both directories) on emx.utexas.edu. I found those using archie. If you're on a SysV type system, you might be able to use the chfn in the comp.sources.unix archives. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710
navarra@casbah.acns.nwu.edu (John Navarra) (04/04/91)
In article <1991Apr3.161841.26270@ioe.lon.ac.uk> andrew@uxm.sm.ucl.ac.uk writes: >In <SHAHRYAR.91Mar29123159@sfsuvax1.sfsu.edu> shahryar@sfsuvax1.SFSU.EDU (Persian Nightmare) writes: > >>In chfn, could I turn off the ability to change the REAL name unless done >>bye a superuser?? How is it possible?? > >This may be a bit difficult without source code changes. You might be able to >disable the chfn command entirely just by changing its permissions. Note, >however, on some systems that chfn, chsh and passwd are all links to the same >binary, so a user might still be able to use passwd -f if you disable chfn. Funny that I am seeing this subject cropping up everywhere. For some reason people don't like bogus fullnames. Well first off if you want to completely rid yourself of this fullname option you are going to have to do more than change the perms on chfn. As it has been pointed out, there is the esoteric passwd -f option. So the first thing you have to do is edit the passwd.c file (if you don't have it, I know it is ftpable from somewhere.) and take out the -f option -- since you can't disable passwd! BUT even that is not enough. Some of the more ingenious users might figure this one out: ln -s /bin/chsh ~/chfn !!!!!! Now you can execute chfn from your own directory and change your fullname! So, you are going to have to change some perms on chsh too! Now our sysadmin fixed passwd.c but not chsh (but is it worth all this trouble? Only a few users on the system are going to know about this anyway.) > >-- >Andrew Dawson, Computer Centre, University College London, Gower Street, >London WC1E 6BT, England. >JANET: ccaaand@uk.ac.ucl EARN/BITNET: ccaaand@ucl.ac.uk >INTERNET: ccaaand%ucl.ac.uk@nsfnet-relay.ac.uk UUCP: ...!ukc!ucl.ac.uk!ccaaand -- From the Lab of the MaD ScIenTiST: navarra@casbah.acns.nwu.edu
rickert@mp.cs.niu.edu (Neil Rickert) (04/04/91)
In article <1991Apr4.110459.26216@casbah.acns.nwu.edu> navarra@casbah.acns.nwu.edu (John Navarra) writes: > > Funny that I am seeing this subject cropping up everywhere. For some > reason people don't like bogus fullnames. Well first off if you want to > completely rid yourself of this fullname option you are going to have to do > more than change the perms on chfn. As it has been pointed out, there is the > esoteric passwd -f option. So the first thing you have to do is edit the You are making it sound far too complex. All you need is a relatively simple program which does some simple parameter checking, then does an execv() to the real 'chfn' and company. Next move the real binary to a different directory, turn off its suid bit, move the replacement in place and make it suid root. (You could probably make do with an suid perl script). That way only root can execute the real 'chfn' without first going through the front end. I suspect that the amount of abusive use is still too small to justify doing even this. The cost is not the programming, but the extra work it imposes on administrators when a 'chfn' is appropriate. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940