*BSD News Article 10906


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA905 ; Tue, 09 Feb 93 15:54:33 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!sgiblab!sdd.hp.com!caen!lsa.umich.edu!nosegoblin.css.itd.umich.edu!pauls
From: pauls@css.itd.umich.edu (Paul Southworth)
Newsgroups: comp.unix.bsd
Subject: Re: *Big* security leak for users w/o crypt.
Date: 6 Feb 1993 03:41:30 GMT
Organization: University of Michigan ITD Consulting and Support Services
Lines: 27
Message-ID: <1kvc1aINNfnn@controversy.math.lsa.umich.edu>
References: <CGD.93Feb3180816@eden.CS.Berkeley.EDU> <CGD.93Feb4113117@eden.CS.Berkeley.EDU> <C1zMJ1.J3t@mentor.cc.purdue.edu>
NNTP-Posting-Host: nosegoblin.css.itd.umich.edu

In article <C1zMJ1.J3t@mentor.cc.purdue.edu> rahnds@mentor.cc.purdue.edu (Dale Rahn) writes:
>Isn't It possible to set up all "secure" accounts will invalid shells.
>If the shell is unavialable the login will fail it is not possible to
>log into thosse accounts.
>with the default setup most accounts are set with shell /dev/null which
>fails. Some are not set this way (but should be). I do not wish to
>list them for possible security reasons. If theses are fixed.
>Then it seems that that alone would give a reasonable amount of (outside)
>security from dialups, however these accounts would not be secure from
>people already logged in.


People should correct my inexperience if I'm wrong, but it would seem to
me that a UID that will be used via "su" will be hosed if the shell is
/dev/null.  ie, if shell for daemon is /dev/null, then when a process tries
to do something like "su daemon /bin/foo" then it will fail because the
shell is no good.  This would be a bad thing.  daemon needs a shell for a
reason.  Just put a password on the account until crypt is installed.
The password protection is ok because when a process does "su daemon" it
is already running SUID 0 and will not be required to enter a password
anyway, whereas a person attempting to enter the system has to know the
password, and you can either have "*" (stupid) or "SDF#@%12" (smart).

Paul Southworth
Computer Systems Consultant I
UM - Ann Arbor
pauls@umich.edu