Date: Thu, 5 Apr 2001 00:43:17 -0500 (CDT) From: James Wyatt <jwyatt@rwsystems.net> To: Kherry Zamore <dknj@dknj.org> Cc: freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: su change? Message-ID: <Pine.BSF.4.10.10104031434320.4963-100000@bsdie.rwsystems.net> In-Reply-To: <005401c0bc63$7cb36650$0202a8c0@majorzoot>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Apr 2001, Kherry Zamore wrote: > Just recently my friend locked himself out of his machine by changing root's > shell to a nonexisting file. The only way he could become root again was by > rebooting the machine into single user mode and changing it from there. Now > while I know that its foolish to change root's shell in the first place, i > don't think this is an acceptable punishment for those that do. Your friend had a "root awakening", eh? Consider it a cheap lesson on: 1) Use chsh to change shells *always*. If not, use vipw at least. 2) sudo can be a handy beast. It helps forgotten root passwords too! 3) Playing with root's shell is dangerous and, I'm sorry, just stupid. If your new shell has shared libs on another filesystem that fails to mount, you are toast. (BillVer can attest to this from csh on the Tandy 6000.) Scripts should spec their shell, but you could still get caught there too. The csh v.s. sh debate is part of why 'toor' was created. sudo also gets around this by letting you use user's favorite shells. 4) Make a playground. Take some abandoned box and install an OS on it to "beat up". Do experimental or "crazy" things on *it* first. (At least you can't kill-off init anymore, you could on the VAX. (^_^)) This is a good idea for WinServers too, btw. Using Ghost(tm), you can bring your machine back from the dead in no time. Any experienced admin has plenty of tales (tightening access until telnet fails, live ifconfig-ing the WRONG ip, SMTP alias loops, forgetting Caps Lock was on in vi, etc...). I wouldn't hire an admin that didn't have some experience with damage control - you don't know how they will react. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10104031434320.4963-100000>