home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam    

UNIX Power Tools

UNIX Power ToolsSearch this book
Previous: 2.15 Unclutter Logins: Show Login Messages Just Once Chapter 2
Logging In
Next: 3. Logging Out
 

2.16 Approved Shells: Using Unapproved Login Shell

Since 4.2BSD, Berkeley UNIX systems have restricted chsh (or a command like it) to change your login shell only to a shell that's listed in the file /etc/shells . That's partly a safety feature, like requiring you to type your old password before you can change to a new one: it keeps other people from giving you a strange login shell as a joke. It's also for security - a way for the system administrator to give a list of shells that are robust enough to run peoples' accounts.

The usual "approved" shells are the Bourne and C shells. If you want to use another shell as your login shell and your system has /etc/shells , ask the system administrator to add your shell. The shell will need to be stored in a secure system directory to make it harder for system crackers to corrupt the shell.

If the system administrator won't approve your login shell, here's a work-around. It lets you log in with an approved shell, then automatically replace the shell with whatever you want. (For background, see article 51.9 .)

  1. If your login shell isn't C shell, use chsh or a command like it to change it to the C shell.

  2. If your new shell will be bash , you can skip this step. Otherwise:

    In your home directory, make a hard or symbolic link ( 18.4 ) directory, to your shell. Use a name starting with a minus sign ( - ); this makes the shell act like a login shell ( 51.9 ) . For example, to make a symbolic link in your home directory named -ksh to the shell /usr/local/bin/ksh , type this command:

    
    
    ./
     
    
    % 
    
    ln -s /usr/local/bin/ksh ./-ksh
    
    

  3. Add lines to the top of the .cshrc ( 2.2 ) file that replace the csh process with your login shell. (The exec ( 45.7 ) command replaces a process.)

    • If you use a Bourne-type shell that reads the .profile file at login time, use lines like these:

      
      
      
      TERM
       
      
      su
       
      
      if
       
      $?
       
      
      
      
      
      
      
      # OVERRIDE DEFAULT LOGIN C SHELL TO USE ksh.
      setenv SHELL /usr/local/bin/ksh
      # IF $TERM SET (BY login OR rlogin), START LOGIN SHELL.
      # UNFORTUNATELY, THIS MAKES su USE A LOGIN SHELL TOO.
      if ($?TERM) then
         cd
         exec -ksh   # USE "LOGIN SHELL" SYMLINK IN $HOME
      else
         exec $SHELL
      endif
      echo "******** WARNING: exec ksh FAILED ********"

      If your new login shell will be bash , you can replace the line exec -ksh above with:

      exec $SHELL -login

      because bash has a -login option that tells it to act like a login shell. Simple, eh?

    • If your new login shell is a csh -type shell that also reads .cshrc , you need to add a test to .cshrc that prevents an infinite loop. This test uses the SH_EXECD environment variable ( 6.1 ) as a flag:

      # OVERRIDE DEFAULT LOGIN C SHELL TO USE tcsh.
      if (! $?SH_EXECD) then
         setenv SH_EXECD yes
         setenv SHELL /usr/local/bin/tcsh
         # IF $TERM SET (BY login OR rlogin), START LOGIN SHELL.
         # USE switch, NOT if, DUE TO csh BUG WITH IMBEDDED else.
         # UNFORTUNATELY, THIS MAKES su USE A LOGIN SHELL TOO.
         switch ($?TERM)
         case 1:
            cd 
            exec -tcsh    # USE "LOGIN SHELL" SYMLINK IN $HOME
            breaksw
         default:
            exec $SHELL   # USE NON-LOGIN SHELL
            breaksw
         endsw
         echo "******** WARNING: exec tcsh FAILED ********"
      endif

    • The C shell may not find your new shell ( -ksh or -tcsh ) unless you have the current directory ( . ) in your search path ( 8.7 ) (put it at the end of your path!). You may also be able to use an absolute pathname ( 14.2 ) to the new shell, but that could hide the leading minus sign ( - ) and the shell might not act like a login shell.

    • Is there a chance that your new shell might be missing some day? For instance, is it on a network filesystem that might be unavailable? Then it's a good idea to wrap the new code above with a test:

      
      
      -e
       
      
      
      
      
      if (-e 
      
      my-new-shell
      
      ) then
          
      ...code to start new shell...
      
      else
          echo "*** WARNING: new shell failed.  Using csh. ***"
      endif

  4. Test your new setup:

    • Try commands that start subshells ( 38.4 ) , like su , rsh , and so on ( 2.7 ) , to be sure that they start your new shell.

    • Put the csh command set echo ( 8.17 ) at the top of your .cshrc file to be sure your commands there are working.

    • Type a command that will work only in your new shell (not in a C shell).

    • Use the ps ( 38.5 ) command ps   $$ (on System V, ps   -f   -p   $$ ) to look at your new shell process ( $$ is your shell's process ID number ( 38.3 ) ).

    • Before you log out of this shell, try logging in from somewhere else ( 2.4 ) to be sure your new shell startup files work.

  5. You're set to go.

If your login shell isn't listed in /etc/shells , the ftp ( 52.7 ) program (actually, the ftpd daemon ( 1.14 ) ) may refuse to transfer files to your account. That's partly to stop ftp access to your system through special accounts that don't have passwords, like sync , who , finger , and so on. If you use the workaround steps above, though, that shouldn't be a problem; you'll have an approved shell listed in /etc/passwd and ftp usually doesn't run your login shell, anyway.

- JP


Previous: 2.15 Unclutter Logins: Show Login Messages Just Once UNIX Power Tools Next: 3. Logging Out
2.15 Unclutter Logins: Show Login Messages Just Once Book Index 3. Logging Out

The UNIX CD Bookshelf Navigation The UNIX CD BookshelfUNIX Power ToolsUNIX in a NutshellLearning the vi Editorsed & awkLearning the Korn ShellLearning the UNIX Operating System










??????????????@Mail.ru