Re: User?s and Shells

From: Zow (zow@llnl.gov)
Date: 12/27/02 

To: Glynn Clements <glynn.clements@virgin.net>
Date: Fri, 27 Dec 2002 08:03:21 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>

> > Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to
> > /bin/false ,
> > so I would suspect that you can probably safely change it to that.
>
> Even this isn't necessarily safe; by the time that the "shell" gets to

I'm sorry -- I wasn't precise enough in my choice of words. By "safely", I
meant with respect to the intended functionality of the system, not
necessarily the security of the system. And you're absolutely right: having
/bin/false there doesn't provide any guarantee of security. It will, however,
aid in protecting against using the account with a default password that was
unintentionally left on the system, or a brute-force attack against that
account. Problems with /bin/false aside, if an attacker can run arbitrary
code as a given user, it doesn't matter what shell (if any) that user is
assigned in /etc/passwd: the attacker can just exec whatever shell they want.

Terry

#include <disclaimer>

Relevant Pages

  • Re: Account Hijacked
    ... Eventually pieced together what had happened from eBay security e-mails and the log of my seller account..... ... At 9.15pm eBay had spotted this. ... Took about an hour to understand what had happened, change my eBay & Paypal passwords, change my secret questions etc. Credit to eBay for a very clever ringback system - automated call gives you a one-time PIN to access & reset the account. ... My old password was medium secure, but would I'm sure be breakable by a serious attacker. ...
    (uk.people.consumers.ebay)
  • Re: Renaming root account
    ... It's not a *good* idea because it's security through obscurity. ... executables use "uid 0" vs "root", so changing the name of the account ... the attacker does not need to know what access he is trying to get (eg. ... root or non-root), only what service her/his attack will use as a vector. ...
    (FreeBSD-Security)
  • RE: User?s and Shells
    ... the shell as well the password for an account. ... Disabling the password makes ... The ideal solution is to have a binary program for the account shell ... defense in depth/layers is the key to security. ...
    (Focus-Linux)
  • Re: su change?
    ... The root account is an account that needs to have the highest ... Then make a point as to why root, when not having a valid shell, not being ... able to log in is a useful security check in any way shape or form. ...
    (FreeBSD-Security)
  • [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044)
    ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ...
    (Securiteam)