Re: [FOCUS] `tcsh' a security risk?
From: Darren Moffat (Darren.Moffat@eng.sun.com)Date: 09/05/01
- Previous message: David Foster: "[FOCUS] `tcsh' a security risk?"
- Maybe in reply to: David Foster: "[FOCUS] `tcsh' a security risk?"
- Next in thread: Gus Hartmann: "Re: [FOCUS] `tcsh' a security risk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200109052045.f85Kjp9d432285@jurassic.eng.sun.com> Date: Wed, 5 Sep 2001 13:45:51 -0700 (PDT) From: Darren Moffat <Darren.Moffat@eng.sun.com> Subject: Re: [FOCUS] `tcsh' a security risk? To: focus-sun@securityfocus.com, foster@dim.ucsd.edu
>The "new account" information from a collaborator's system states
>that setting the default shell to tcsh in the passwd file is a
>security risk.
Based on what vulnerability ?
> Since setting the default shell to tcsh in the passwd file is a
> security risk, we ask for people who'd like to use it to add the
> following lines to their .cshrc file:
>
> # if tcsh exists, use it
> if (($shell == /bin/csh) && (-e /usr/local/bin/tcsh)) then
> exec /usr/local/bin/tcsh -l $*
> endif
That is no better than having it in the passwd file.
They only connection I can make is you shouldn't change the shell
of the root user to anything other than /sbin/sh - but this isn't
for security reasons it is for availablity reasons.
-- Darren J Moffat
- Previous message: David Foster: "[FOCUS] `tcsh' a security risk?"
- Maybe in reply to: David Foster: "[FOCUS] `tcsh' a security risk?"
- Next in thread: Gus Hartmann: "Re: [FOCUS] `tcsh' a security risk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
