Re: User?s and Shells

• Previous message: Cameron Simpson: "Re: User?s and Shells"
• Maybe in reply to: Brian Hatch: "Re: User?s and Shells"
• Next in thread: Steven J. Sobol: "Re: User?s and Shells"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
From: Scott Gifford <sgifford@suspectclass.com>
Date: 21 Dec 2002 03:28:42 -0500

Brian Hatch <focus-linux@ifokr.org> writes:

> > I'm wondering why I would want that - until now nobody could give me a
> > good argument although everybody learns to remove the shells :-(
> >
> > * If I give my users a disabled password, they cannot? login via passwd
> > based ssh/ftp/pop3 etc.
>
> Not true. Say you disable the passwd (put "*" in /etc/shadow
> file, for example) but they have already enabled SSH identity
> authentication so they never use actual password authentication.
> You think they can't log in because there's no legal password,
> but SSH lets them in before it gets there.

In the past, many people have had similar issues using the r*
commands. If the user has a shell and ssh or any of the r* commands
are running, you have to protect the user's home directory from
writing just as diligently as you would have to protect their
passwords, and a nonexistent shell in /etc/passwd provides another
layer of protection.

And it's not just a matter of the user creating a .rhosts file before
their password is disabled. Writing to a home directory is one way to
escalate privileges; for example, your news user was:

    news:x:9:13:news:/etc/news:

. If news has write permission in /etc/news, a bug in your newsserver
that provides only the ability to create arbitrary files owned by news
can suddenly be leveraged into a shell on your system if you have ssh
or r* running and news has a real shell.

----ScottG.

• Next message: Small, Jim: "RE: User?s and Shells"
• Previous message: Cameron Simpson: "Re: User?s and Shells"
• Maybe in reply to: Brian Hatch: "Re: User?s and Shells"
• Next in thread: Steven J. Sobol: "Re: User?s and Shells"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: SFTP is not working ... When I try to use sftp or scp2, I get a message like this: ... sftp and scp2 both actually work by running ssh in a subprocess, ... The reason the shell startup files are relevant at all, ... (comp.security.ssh) Re: Did you hack into my UNIX server Bible Bob? ... But that's not a shell question. ... >> OSX users, should I be using ssh instead of telnet for security? ... OSX as a built in firewall tab. ... (comp.unix.shell) Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] ... I use SSH to forward connections between an intranet server at home and my ... To do this, the user on the remote machine need not have a shell, either ... start a shell on the remote host, ... you can have ssh run a command instead of an interactive shell by ... (FreeBSD-Security) Re: UK Shell Provider ... http://templarshells.mine.nu Services include access to linux programs, ... "Access to the Templar Server is via Ssh (Secure Shell). ... (uk.telecom.broadband) Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...) ... >> It used a chrooted sshd with private passwd/shadow files in the ... >> chroot jail. ... The login shell for the users in that private passwd ... >> config file to get a destination host, and execed an ssh client to ... (Firewall-Wizards)