Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA905 ; Tue, 09 Feb 93 15:54:33 EST Path: sserve!manuel.anu.edu.au!munnari.oz.au!sgiblab!sdd.hp.com!caen!lsa.umich.edu!nosegoblin.css.itd.umich.edu!pauls From: pauls@css.itd.umich.edu (Paul Southworth) Newsgroups: comp.unix.bsd Subject: Re: *Big* security leak for users w/o crypt. Date: 6 Feb 1993 03:41:30 GMT Organization: University of Michigan ITD Consulting and Support Services Lines: 27 Message-ID: <1kvc1aINNfnn@controversy.math.lsa.umich.edu> References: <CGD.93Feb3180816@eden.CS.Berkeley.EDU> <CGD.93Feb4113117@eden.CS.Berkeley.EDU> <C1zMJ1.J3t@mentor.cc.purdue.edu> NNTP-Posting-Host: nosegoblin.css.itd.umich.edu In article <C1zMJ1.J3t@mentor.cc.purdue.edu> rahnds@mentor.cc.purdue.edu (Dale Rahn) writes: >Isn't It possible to set up all "secure" accounts will invalid shells. >If the shell is unavialable the login will fail it is not possible to >log into thosse accounts. >with the default setup most accounts are set with shell /dev/null which >fails. Some are not set this way (but should be). I do not wish to >list them for possible security reasons. If theses are fixed. >Then it seems that that alone would give a reasonable amount of (outside) >security from dialups, however these accounts would not be secure from >people already logged in. People should correct my inexperience if I'm wrong, but it would seem to me that a UID that will be used via "su" will be hosed if the shell is /dev/null. ie, if shell for daemon is /dev/null, then when a process tries to do something like "su daemon /bin/foo" then it will fail because the shell is no good. This would be a bad thing. daemon needs a shell for a reason. Just put a password on the account until crypt is installed. The password protection is ok because when a process does "su daemon" it is already running SUID 0 and will not be required to enter a password anyway, whereas a person attempting to enter the system has to know the password, and you can either have "*" (stupid) or "SDF#@%12" (smart). Paul Southworth Computer Systems Consultant I UM - Ann Arbor pauls@umich.edu