Re: User?s and Shells

From: Zow (zow@llnl.gov)
Date: 12/27/02


To: Glynn Clements <glynn.clements@virgin.net>
Date: Fri, 27 Dec 2002 08:03:21 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>


> > Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to
> > /bin/false ,
> > so I would suspect that you can probably safely change it to that.
>
> Even this isn't necessarily safe; by the time that the "shell" gets to

I'm sorry -- I wasn't precise enough in my choice of words. By "safely", I
meant with respect to the intended functionality of the system, not
necessarily the security of the system. And you're absolutely right: having
/bin/false there doesn't provide any guarantee of security. It will, however,
aid in protecting against using the account with a default password that was
unintentionally left on the system, or a brute-force attack against that
account. Problems with /bin/false aside, if an attacker can run arbitrary
code as a given user, it doesn't matter what shell (if any) that user is
assigned in /etc/passwd: the attacker can just exec whatever shell they want.

Terry

#include <disclaimer>



Relevant Pages

  • Re: Account Hijacked
    ... Eventually pieced together what had happened from eBay security e-mails and the log of my seller account..... ... At 9.15pm eBay had spotted this. ... Took about an hour to understand what had happened, change my eBay & Paypal passwords, change my secret questions etc. Credit to eBay for a very clever ringback system - automated call gives you a one-time PIN to access & reset the account. ... My old password was medium secure, but would I'm sure be breakable by a serious attacker. ...
    (uk.people.consumers.ebay)
  • Re: Renaming root account
    ... It's not a *good* idea because it's security through obscurity. ... executables use "uid 0" vs "root", so changing the name of the account ... the attacker does not need to know what access he is trying to get (eg. ... root or non-root), only what service her/his attack will use as a vector. ...
    (FreeBSD-Security)
  • [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password crac
    ... INTERNET SECURITY AUDITORS ALERT 2009-NNN ... multiple new account creation requests) ... The abuse of this functionality permits an attacker to do thousands of ... authentication requests during a day over one user account, ...
    (Full-Disclosure)
  • [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
    ... INTERNET SECURITY AUDITORS ALERT 2009-NNN ... multiple new account creation requests) ... The abuse of this functionality permits an attacker to do thousands of ... authentication requests during a day over one user account, ...
    (Bugtraq)
  • RE: User?s and Shells
    ... the shell as well the password for an account. ... Disabling the password makes ... The ideal solution is to have a binary program for the account shell ... defense in depth/layers is the key to security. ...
    (Focus-Linux)