Examples LOGINAPPL

Example: The following procedure permits only an anonymous user to use the ftp application:
cminder140
Example: The following procedure permits only an anonymous user to use the ftp application:
  1. Change the ftp default access to none with the following selang command:
    cr LOGINAPPL FTP defaccess(NONE) owner(nobody)
  2. Permit the user anonymous to use ftp with the following selang command:
    auth LOGINAPPL FTP uid(anonymous) access(X)
To restrict users from the group that is named account to use only telnet:
  1. Block the use of rlogin and rsh with the following selang command:
    auth LOGINAPPL(RLOGIN RSH) gid(account) access(N)
  2. Permit the group that is named account to use telnet with the following selang command:
    auth LOGINAPPL TELNET gid(account) acc(X)
The previous example shows RLOGIN and RSH restrictions, but other login programs should be included as well.
Whenever you add or use a new login program, you must add a LOGINAPPL record.
The login interception sequence always starts with setgid or setgroup events, which are called
triggers
. The sequence ends with a setuid event that changes the identity of the user to the real user who logged in.
Login applications issue various system calls, which 
Privileged Access Manager Server Control
 uses to monitor login activity. These login sequences are preset for standard login applications. You can see them by studying the 
Privileged Access Manager Server Control
trace file.
For more information about the LOGINAPPL class and setting a sequence, see the
selang Reference Guide
.