On Sat, Apr 25, 2009 at 5:48 PM, Aaron Martinez <m...@proficuous.com> wrote: >> So: >> 1) what does the /etc/passwd entry for one of these users look like? > > lgf:*:1010:10000::/home/ght:/usr/local/bbox/bin/login_script
Are there any other passwd entries with that uid? What's the output of ls -l /usr/local/bbox/bin/login_script >> 2) when you say "they get a standard shell", what *EXACTLY* do you mean? >> (If you mean "they get a /bin/sh prompt and it runs their >> .profile", then please say that) > > when logging in as user ght > $ env > _=/usr/bin/env > SSH_CONNECTION=192.168.7.128 39782 192.168.7.254 22 > PATH=/home/lgf/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bi n:/usr/local/sbin:/usr/games:. > SHELL=/usr/local/bin/login_script > USER=lgf > MAIL=/var/mail/ght > HOME=/home/ght > SSH_CLIENT=192.168.7.128 39782 22 > TERM=xterm > SSH_TTY=/dev/ttyp0 > LOGNAME=ght > > $ lss > ksh: lss: not found > > (looks like i'm getting ksh as my shell) It's interesting how it mixes USER=lgf with LOGNAME=ght. sshd (and login) set those to the same value, so it would seem user lgf's .profile or similar is being parsed along the way. I wonder what the 'id' command would show at that point: ght, lgf, or something completely different? I guess my next step would be to use ktrace -i on a virtual console 'getty' process, log in and out on that console to reproduce it, then stop the ktrace and examine the output of kdump to see what's actually being invoked, when, and by what. Follow the fork() and execve() calls. Good luck! Philip Guenther
