[FOCUS] `tcsh' a security risk?

From: David Foster (foster@dim.ucsd.edu)
Date: 09/05/01 

Message-Id: <200109052028.NAA05612@dim.ucsd.edu>
Date: Wed, 5 Sep 2001 13:28:02 -0700 (PDT)
From: David Foster <foster@dim.ucsd.edu>
Subject: [FOCUS] `tcsh' a security risk?
To: focus-sun@securityfocus.com

The "new account" information from a collaborator's system states
that setting the default shell to tcsh in the passwd file is a
security risk.

Comments?

  Using tcsh:
  
  tcsh is an extended version of csh ("c-shell") which offers
  additional functionality, such as history access and word-processor
  like command line editing using the arrow keys. (type "man tcsh" for
  more info).
  
  Since setting the default shell to tcsh in the passwd file is a
  security risk, we ask for people who'd like to use it to add the
  following lines to their .cshrc file:
  
          # if tcsh exists, use it
          if (($shell == /bin/csh) && (-e /usr/local/bin/tcsh)) then
                 exec /usr/local/bin/tcsh -l $*
          endif
  

   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster National Center for Microscopy and Imaging Research
    Programmer/Analyst University of California, San Diego
    dfoster@ucsd.edu Department of Neuroscience, Mail 0608
    (858) 534-7968 http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself. Therefore, all progress
   depends on the unreasonable." -- George Bernard Shaw

Relevant Pages