On Sat, Apr 25, 2009 at 06:14:39PM -0700, Philip Guenther wrote:
> On Sat, Apr 25, 2009 at 5:48 PM, Aaron Martinez <m...@proficuous.com> wrote:
> >> So:
> >> 1) what does the /etc/passwd entry for one of these users look like?
> >
> > lgf:*:1010:10000::/home/ght:/usr/local/bbox/bin/login_script
>
> Are there any other passwd entries with that uid?
> What's the output of
> ls -l /usr/local/bbox/bin/login_script
how did you edit the passwd file? with vipw or just vi? If you used
just vi, the changes would not be put in the various databases.
-Otto
>
>
> >> 2) when you say "they get a standard shell", what *EXACTLY* do you mean?
> >> (If you mean "they get a /bin/sh prompt and it runs their
> >> .profile", then please say that)
> >
> > when logging in as user ght
> > $ env
> > _=/usr/bin/env
> > SSH_CONNECTION=192.168.7.128 39782 192.168.7.254 22
> >
> PATH=/home/lgf/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bi
> n:/usr/local/sbin:/usr/games:.
> > SHELL=/usr/local/bin/login_script
> > USER=lgf
> > MAIL=/var/mail/ght
> > HOME=/home/ght
> > SSH_CLIENT=192.168.7.128 39782 22
> > TERM=xterm
> > SSH_TTY=/dev/ttyp0
> > LOGNAME=ght
> >
> > $ lss
> > ksh: lss: not found
> >
> > (looks like i'm getting ksh as my shell)
>
> It's interesting how it mixes USER=lgf with LOGNAME=ght. sshd (and
> login) set those to the same value, so it would seem user lgf's
> .profile or similar is being parsed along the way. I wonder what the
> 'id' command would show at that point: ght, lgf, or something
> completely different?
>
> I guess my next step would be to use ktrace -i on a virtual console
> 'getty' process, log in and out on that console to reproduce it, then
> stop the ktrace and examine the output of kdump to see what's actually
> being invoked, when, and by what. Follow the fork() and execve()
> calls.
>
> Good luck!
>
>
> Philip Guenther
