This chapter contains supplementary NetWare® Enhanced Security information for Chapter 3, Creating Login Scripts, of Supervising the Network.
Login scripts are 4TM (Novell® Directory ServicesTM) object properties associated with NDS container, profile, and user objects. The client LOGIN.EXE program (for DOS, Windows*, and OS/2*) interprets and executes these scripts on the client component after a user or administrator logs in to the server component.
The server NTCB partition treats these login scripts as arbitrary data stored in the NDS object properties. It enforces the NDS object property policy for accesses to the login scripts, thus controlling who can read and modify login scripts. The server does not, however, interpret the contents of login scripts or determine the adequacy of login scripts.
Because the login script executes on the client and not on the server component, it is the responsibility of the client administrator to define and install login scripts. For more information on defining the login scripts for each specific client component, see your client documentation.
The beginning of Chapter 3, Creating Login Scripts in Supervising the Network describes four types of login scripts used for NDS logins. In addition, there are three types of login scripts used for bindery logins. When used for bindery logins, the NetWare LOGIN.EXE program first runs SYS:\PUBLIC\NET$LOG.DAT, then the user's private login script (stored in SYS:\MAIL\XXXXXXXX\LOGIN, where XXXXXXXX is an eight-character representation of the user's NDS object ID), and finally a built-in login script (if the user does not have his or her own login script).
Users must not delete their own login scripts from SYS:\MAIL\XXXXXXXX, as that presents an opportunity for another user to create a new login script that may invoke malicious software, such as viruses.
WARNING: As a server administrator, you must ensure that your login script executes properly on any workstations that you use for administration of the server. Check to make sure that your login script does not include any commands that are not part of the TCB for the client that you are using.
Further, you must protect your login script and profile properties so that they cannot be modified by nonadministrative users.
WARNING: As a server administrator, you are responsible for resolving potential conflicts involving login scripts. For example, there may be multiple client administrators that share a single container login script.