11.5. Disabling a user temporarily
It is sometimes necessary to temporarily disable an
account, without removing it. For example, the user might not
have paid his fees, or the system administrator may suspect that
a cracker has got the password of that account.
The best way to disable an account is to change its shell
into a special program that just prints a message. This way,
whoever tries to log into the account, will fail, and will
know why. The message can tell the user to contact the system
administrator so that any problems may be dealt with.
It would also be possible to change the username
or password to something else, but then the user
won't know what is going on. Confused users mean more
work.
A simple way to create the special programs is to write
`tail scripts':
#!/usr/bin/tail +2
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive. |
The first two characters (`
#!') tell the
kernel that the rest of the line is a command that needs to be
run to interpret this file. The
tail command
in this case outputs everything except the first line to the
standard output.
If user billg is suspected of a security breach,
the system administrator would do something like this:
# chsh -s
/usr/local/lib/no-login/security billg
# su - tester
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive.
# |
The purpose of the
su is to test that the
change worked, of course.
Tail scripts should be kept in a separate directory,
so that their names don't interfere with normal user commands.