Re: User?s and Shells

From: Scott Gifford (sgifford@suspectclass.com)
Date: 12/21/02

  • Next message: Small, Jim: "RE: User?s and Shells"
    To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
    From: Scott Gifford <sgifford@suspectclass.com>
    Date: 21 Dec 2002 03:28:42 -0500
    
    

    Brian Hatch <focus-linux@ifokr.org> writes:

    > > I'm wondering why I would want that - until now nobody could give me a
    > > good argument although everybody learns to remove the shells :-(
    > >
    > > * If I give my users a disabled password, they cannot? login via passwd
    > > based ssh/ftp/pop3 etc.
    >
    > Not true. Say you disable the passwd (put "*" in /etc/shadow
    > file, for example) but they have already enabled SSH identity
    > authentication so they never use actual password authentication.
    > You think they can't log in because there's no legal password,
    > but SSH lets them in before it gets there.

    In the past, many people have had similar issues using the r*
    commands. If the user has a shell and ssh or any of the r* commands
    are running, you have to protect the user's home directory from
    writing just as diligently as you would have to protect their
    passwords, and a nonexistent shell in /etc/passwd provides another
    layer of protection.

    And it's not just a matter of the user creating a .rhosts file before
    their password is disabled. Writing to a home directory is one way to
    escalate privileges; for example, your news user was:

        news:x:9:13:news:/etc/news:

    . If news has write permission in /etc/news, a bug in your newsserver
    that provides only the ability to create arbitrary files owned by news
    can suddenly be leveraged into a shell on your system if you have ssh
    or r* running and news has a real shell.

    ----ScottG.



    Relevant Pages

    • Re: Learning Lisp
      ... I compared VNC to SSH. ... Some programs can work only over VNC or a similar protocol, so I had a chance to compare these approaches. ... Let's say I need to check access rights on file /home/foo/bar.txt on server quux. ... This is what I would call 'doing it myself' -- I think of something, translate it to shell language, type and get results. ...
      (comp.lang.lisp)
    • Re: SFTP is not working
      ... When I try to use sftp or scp2, I get a message like this: ... sftp and scp2 both actually work by running ssh in a subprocess, ... The reason the shell startup files are relevant at all, ...
      (comp.security.ssh)
    • Re: Did you hack into my UNIX server Bible Bob?
      ... But that's not a shell question. ... >> OSX users, should I be using ssh instead of telnet for security? ... OSX as a built in firewall tab. ...
      (comp.unix.shell)
    • Re: "Driving" Linux Command Line from C# ?
      ... the usual Google search. ... Putty is great for manual work, but no API ... would be an SSH utility with an API but if it exists I haven't been ... Just be sure that you are sure about the shell on the ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Execute and lock a user into a program upon login
      ... logs in to the box via SSH, a command is run, and they immediately get ... dropped into the environment that the command produces. ... user is dropped into the application 'vtysh' ... shell drops (ie. user does not have to exit the csh shell to drop the ...
      (freebsd-questions)