ShellsAsAccessControl

By admin
Once upon a time,

one
CARDINAL

of the ways that system administrators controlled who could log in to what server was by assigning special administrative shells to logins, either on a particular system or across your entire server fleet.

Today
DATE

, special shells (mostly) aren’t an effective mechanism for this any more, so modern Unix people may not have much exposure to this idea. However, vestiges of this live on in typical Unix configurations, in the form of /sbin/nologin (sometimes in /usr/sbin) and how many system accounts have this set as their shell in /etc/passwd.

The normal thing for /sbin/nologin to do when run is to print something like ‘This account is currently not available.’ and exit with status

1
CARDINAL

(in a surprising bit of cross-Unix agreement, all of

Linux
PRODUCT

,

FreeBSD
PERSON

, and OpenBSD nologin appear to print exactly the same message). By making this the shell of some account, anything that executes an account’s shell as part of accessing it will fail, so login (locally or over

SSH
ORG

) and a normal su will both fail. Typical versions of su usually have special features to keep you from overriding this by supplying your own shell (often involving /etc/shells , or deliberately running the /etc/passwd shell for the user). Otherwise, there is nothing that prevents processes from running under the login’s UID, and in fact it’s extremely common for such system accounts to be running various processes.

Unix system administrators have long used this basic idea for their own purposes, creating their own fleet of administrative shells to, for example, tell you that a machine was only accessible by staff. You would then arrange for all non-staff logins on the machine to have that shell as their login shell (there might be such logins if, for example, the machine is a NFS fileserver). Taking the idea

one
CARDINAL

step further, you might suspend accounts before deleting them by changing the account’s shell to an administrative shell that printed out ‘your account is suspended and will be deleted soon, contact <X> if you think this is a terrible mistake’ and then exited. In an era when everyone accessed your services by logging in to your machines through

SSH
ORG

(or earlier,

rlogin
ORG

and telnet), this was an effective way of getting someone’s attention and a reasonably effective way of denying them access (although even back then, the details could be complex).

(Our process for disabling accounts gives such accounts a special shell, but it’s mostly as a marker for us for reasons covered in that entry.)

You could also use administrative shells to enforce special actions when people logged in. For example, newly created logins might be given a special shell that would make them agree to your usage policies, force them to change their password, and then through magic change their shell to a regular shell. Some of this could be done through existing system features (sometimes there was a way to mark a passwd entry so that it forced an immediate password change), but generally not all of it. Again, this worked well when you could count on people starting using your systems by logging in at the Unix level (which generally is no longer true).

Sensible system administrators didn’t try to use administrative shells to restrict what people could do on a machine, because historically such ‘restricted shells’ had not been very successful at being restrictive. Either you let someone have access or you didn’t, and any ‘restriction’ was generally temporary (such as forcing people to do

one
CARDINAL

time actions on their

first
ORDINAL

login). Used this way, administrative shells worked well enough that many old Unix environments accumulated a bunch of local ones, customized to print various different messages for various purposes.


PS
ORG

:

One
CARDINAL

trick you could do with some sorts of administrative shells was make them trigger alarms when run. If some people were not really supposed to even try to log in to some machine, you might want to know if someone tried.

One
CARDINAL

reason this is potentially an interesting signal is that anyone who gets as far as running a login shell definitely knows the account’s password (or otherwise can pass your local Unix authentication).

(These days I believe this would be considered a form of ‘canary token’.)