Date: Thu, 3 Dec 1998 02:37:19 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: dima@best.net Cc: guido@gvr.org, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd Message-ID: <19981203023719.A87604@nagual.pp.ru> In-Reply-To: <199812022329.PAA86705@burka.rdy.com>; from dima@best.net on Wed, Dec 02, 1998 at 03:29:00PM -0800 References: <19981203014511.A72032@nagual.pp.ru> <199812022329.PAA86705@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 02, 1998 at 03:29:00PM -0800, Dima Ruban wrote: > I don't exactly see what's wrong with not having this directory created by > mtree. > If hacker on a given machine can create /usr/guest/operator or whatever is > the default, that it means that this dude has root access. > At this point you screwed either way. Yes, but _after_ having root access once (suppose you close the hole quickly) he can use your machine forever under operator account (without root access) which is hardly detected because passwd unchanged. > Yeah, you didn't touch my password file, but you forced everybody else > who potentially can use this feature to deal with your changes. Everybody else which use operator as valid user must change its directory to reflect real existing one _even_in_old_variant_, so changes are neccessary in any case. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981203023719.A87604>