From owner-freebsd-security@FreeBSD.ORG Thu Jun 17 11:58:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C70216A4CE; Thu, 17 Jun 2004 11:58:33 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 968D243D53; Thu, 17 Jun 2004 11:58:32 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from [172.16.0.11] (helo=localhost) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34 (FreeBSD)) id 1BavX6-0004xh-4T; Thu, 17 Jun 2004 13:58:18 +0200 Mime-Version: 1.0 (Apple Message framework v482) Message-Id: <9D975CC6-C055-11D8-9250-00039312D914@fillmore-labs.com> In-Reply-To: <20040616185151.GA80900@disturbed.org> Content-Type: text/plain; charset=US-ASCII; format=flowed From: Oliver Eikemeier Content-Transfer-Encoding: 7bit To: Mike Benjamin , Alex Povolotsky User-Agent: KMail/1.5.9 X-Mailman-Approved-At: Wed, 07 Jul 2004 16:02:47 +0000 cc: Per Engelbrecht Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 17 Jun 2004 11:58:33 -0000 X-Original-Date: Thu, 17 Jun 2004 13:58:15 +0200 X-List-Received-Date: Thu, 17 Jun 2004 11:58:33 -0000 Hopefully fixed, thanks for your help. From owner-freebsd-security@FreeBSD.ORG Fri Jun 18 14:55:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D219C16A4CE for ; Fri, 18 Jun 2004 14:55:49 +0000 (GMT) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85C3243D49 for ; Fri, 18 Jun 2004 14:55:49 +0000 (GMT) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id 0EA6DC11C; Fri, 18 Jun 2004 10:54:48 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 6E47E1D26A8; Fri, 18 Jun 2004 10:54:47 -0400 (EDT) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16595.567.380998.969679@canoe.dclg.ca> To: Zoran Kolic In-Reply-To: <20040618062557.GA616@kolic.net> References: <20040617120329.8AA7216A4D5@hub.freebsd.org> <20040618062557.GA616@kolic.net> X-Mailer: VM 7.17 under 21.5 (beta15) "celery" XEmacs Lucid X-Mailman-Approved-At: Wed, 07 Jul 2004 16:02:47 +0000 cc: freebsd-security@freebsd.org Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 18 Jun 2004 14:55:49 -0000 X-Original-Date: Fri, 18 Jun 2004 10:54:47 -0400 X-List-Received-Date: Fri, 18 Jun 2004 14:55:49 -0000 >>>>> "Zoran" == Zoran Kolic writes: >> nmap -sT -p 21 '172.19.17.*' Zoran> Have you tried without "'"? Or 172.19.17.1-254? Nmap works Zoran> for me. Maybe port 21? I've noticed that nmap on FreeBSD is particularly lame at scanning the local network. If the majority of the addresses on the local network are unoccupied, then it will pause with a 'no buffer space available' message and pause for 15 or 20 seconds each. This seems to be due to it wanting to send a number of packets to the same addresses and when the arp is not resolved we're putting a negative entry in the routing table. ... or at least that was the behaviour. Recent -CURRENTS don't even seem to try to send arp entries as the arp table isn't full of incomplete entries as it was before. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ From owner-freebsd-security@FreeBSD.ORG Sat Jun 26 20:14:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99C7816A4CE for ; Sat, 26 Jun 2004 20:14:12 +0000 (GMT) Received: from update.ods.org (221056.ds.nac.net [66.246.72.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C3F943D39 for ; Sat, 26 Jun 2004 20:14:12 +0000 (GMT) (envelope-from jd@ods.org) Received: from localhost (221056.ds.nac.net [127.0.0.1]) by update.ods.org (Postfix) with ESMTP id CD670154B75; Sat, 26 Jun 2004 16:13:48 -0400 (EDT) Received: from update.ods.org ([127.0.0.1]) by localhost (update.ods.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27442-04; Sat, 26 Jun 2004 16:13:48 -0400 (EDT) Received: from pcp08928390pcs.anapol01.md.comcast.net (pcp08928390pcs.anapol01.md.comcast.net [68.50.232.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by update.ods.org (Postfix) with ESMTP id 4F229154B59; Sat, 26 Jun 2004 16:13:48 -0400 (EDT) Date: Sat, 26 Jun 2004 16:13:56 -0400 From: Jason DiCioccio To: Dave , freebsd-security@freebsd.org Message-ID: <1D2A6C690DF38F9138211E10@pcp08928390pcs.anapol01.md.comcast.net> In-Reply-To: <20040626131219.T1249@metafocus.net> References: <20040626131219.T1249@metafocus.net> X-Mailer: Mulberry/3.1.4 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: by amavisd-new at ods.org X-Mailman-Approved-At: Wed, 07 Jul 2004 16:02:47 +0000 Subject: Re: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jun 2004 20:14:12 -0000 Perhaps someone is using the snoop device? (man snp). I do this occasionally.. but you can watch vtys using 'watch' and the snp devices. Regards, -JD- --On Saturday, June 26, 2004 1:18 PM -0700 Dave wrote: > > I get this in my security postings. > > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 > Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild > > As it turns out, I'm not running qmail :) And if I did, it would > definitely have a nologin shell. But that's beside the point- > > I have had a perception that ttyv was for local/console logins, and that > just "tty" was for remote logins. > > Is my understanding wrong here? > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jul 7 18:45:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6FFA16A4CF for ; Wed, 7 Jul 2004 18:45:37 +0000 (GMT) Received: from mail.npubs.com (mail.writemehere.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3C2B43D31 for ; Wed, 7 Jul 2004 18:45:37 +0000 (GMT) (envelope-from nielsen@memberwebs.com) Resent-Message-Id: From: Nielsen User-Agent: Mozilla Thunderbird 0.5 (X11/20040208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.83.3.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Message-Id: <20040707185358.7B4DF840A1F@mail.npubs.com> Resent-Date: Wed, 7 Jul 2004 18:53:58 +0000 (GMT) Resent-From: nielsen@memberwebs.com (Postfix Filters) Subject: jailutils security issue, and possible issue with 'jail' X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 07 Jul 2004 18:45:38 -0000 X-List-Received-Date: Wed, 07 Jul 2004 18:45:38 -0000 Since some of you use the jailutils package, I just wanted to post some additional info on the recent 'security fix' and also highlight a possible issue with the 'jail' command. http://memberwebs.com/nielsen/freebsd/jails/jailutils/security.html It's not a very big issue (unless I'm missing something), simply one of leaking the host environment into the jail. This might be used legitimately in certain cases, but in most cases it's probably a good idea to clear out the environment before executing the jail() or jail_attach() syscalls. The 'jstart' utility included in jailutils does this and it would probably be a good addition to 'jexec' and/or 'jail'. From owner-freebsd-security@FreeBSD.ORG Wed Jul 7 19:46:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDB4716A4CE for ; Wed, 7 Jul 2004 19:46:31 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFC3F43D39 for ; Wed, 7 Jul 2004 19:46:31 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i67JkRn6021160; Wed, 7 Jul 2004 12:46:27 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i67JkNkI006732; Wed, 7 Jul 2004 12:46:26 -0700 (PDT) In-Reply-To: <16595.567.380998.969679@canoe.dclg.ca> References: <20040617120329.8AA7216A4D5@hub.freebsd.org> <20040618062557.GA616@kolic.net> <16595.567.380998.969679@canoe.dclg.ca> Mime-Version: 1.0 (Apple Message framework v618) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <504FDE20-D04E-11D8-9FB6-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Wed, 7 Jul 2004 15:46:18 -0400 To: David Gilbert X-Mailer: Apple Mail (2.618) cc: freebsd-security@freebsd.org cc: Zoran Kolic Subject: Re: nmap not scanning networks? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2004 19:46:32 -0000 On Jun 18, 2004, at 10:54 AM, David Gilbert wrote: > Zoran> Have you tried without "'"? Or 172.19.17.1-254? Nmap works > Zoran> for me. Maybe port 21? > > I've noticed that nmap on FreeBSD is particularly lame at scanning the > local network. If the majority of the addresses on the local network > are unoccupied, then it will pause with a 'no buffer space available' > message and pause for 15 or 20 seconds each. I believe Oliver (the port's maintainter) looked into this issue and found a fix, try updating to the latest nmap port and see whether it does better now... -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:29:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B88116A4CE for ; Thu, 8 Jul 2004 15:29:59 +0000 (GMT) Received: from postoffice.ntscom.com (postoffice.ntscom.com [216.167.128.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0684D43D46 for ; Thu, 8 Jul 2004 15:29:59 +0000 (GMT) (envelope-from brandon.grace@ntscom.com) Received: from NTS040101 (ip-129-new-107.nts-online.net [216.167.129.107] (may be forged)) by postoffice.ntscom.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id KAA10550 for ; Thu, 8 Jul 2004 10:29:41 -0500 From: "Brandon Grace" To: Date: Thu, 8 Jul 2004 10:29:58 -0500 Organization: NTS Communications Message-ID: MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Thread-Index: AcRlAG1CuHzOu823QrSbmw3Zqohxpg== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brandon.grace@ntscom.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:29:59 -0000 I made a mistake setting my shell and have set the root users shell to /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:42:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1971E16A4CE for ; Thu, 8 Jul 2004 15:42:04 +0000 (GMT) Received: from postoffice.ntscom.com (postoffice.ntscom.com [216.167.128.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8BFD43D3F for ; Thu, 8 Jul 2004 15:42:03 +0000 (GMT) (envelope-from brandon.grace@ntscom.com) Received: from NTS040101 (ip-129-new-107.nts-online.net [216.167.129.107] (may be forged)) by postoffice.ntscom.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id KAA13577 for ; Thu, 8 Jul 2004 10:41:46 -0500 From: "Brandon Grace" To: Date: Thu, 8 Jul 2004 10:42:02 -0500 Organization: NTS Communications Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Thread-Index: AcRlAaPCugdYcKkRSi6vHaI9rhMI9AAADFoA In-Reply-To: <20040708153848.GF1169@bal740r0.mecon.gov.ar> Subject: RE: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brandon.grace@ntscom.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:42:04 -0000 For some reason su -c relates to "class" not "command" as in linux. I know about the booting into single user mode also. This happends to be the primary dns server and our secondary doesn't have the capacity to handle all the queries. Any other suggestions? Thanks in advance. From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:42:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA5316A4CE for ; Thu, 8 Jul 2004 15:42:05 +0000 (GMT) Received: from eddie.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27A7943D3F for ; Thu, 8 Jul 2004 15:42:05 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: by eddie.nitro.dk (Postfix, from userid 1000) id AE70811811; Thu, 8 Jul 2004 17:42:03 +0200 (CEST) Date: Thu, 8 Jul 2004 17:42:03 +0200 From: "Simon L. Nielsen" To: Brandon Grace Message-ID: <20040708154202.GB19685@eddie.nitro.dk> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:42:05 -0000 --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.07.08 10:29:58 -0500, Brandon Grace wrote: > I made a mistake setting my shell and have set the root users shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix thi= s. > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. Just go to single user mode [1] and correct it. [1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/boot-init.htm= l#BOOT-SINGLEUSER --=20 Simon L. Nielsen FreeBSD Documentation Team --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA7WtKh9pcDSc1mlERAkjgAKCzCDE2ihWRqhkwG/FV7F84y+DYTACgvR3I jkoMJi7+BcM0dkdJfkxH6R4= =P0NZ -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:45:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D9BA16A4CE for ; Thu, 8 Jul 2004 15:45:50 +0000 (GMT) Received: from areandor.numenor.net (areandor.numenor.net [69.55.237.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B7BB43D48 for ; Thu, 8 Jul 2004 15:45:50 +0000 (GMT) (envelope-from lists-freebsd@silverwraith.com) Received: from [69.55.228.10] (helo=keylime.silverwraith.com) by areandor.numenor.net with esmtp (TLSv1:RC4-SHA:128) (Exim 3.36 #1) id 1Bib5p-0006jr-00 for freebsd-security@freebsd.org; Thu, 08 Jul 2004 08:45:49 -0700 Received: from keylime ([69.55.228.10] helo=keylime.silverwraith.com) by keylime.silverwraith.com with esmtp (Exim 4.34; FreeBSD) id 1Bib5o-0005Yp-Uy; Thu, 08 Jul 2004 08:45:49 -0700 Received: (from avleen@localhost)i68Fjm6O021376; Thu, 8 Jul 2004 08:45:48 -0700 (PDT) (envelope-from lists-freebsd@silverwraith.com) X-Authentication-Warning: keylime.silverwraith.com: avleen set sender to lists-freebsd@silverwraith.com using -f Date: Thu, 8 Jul 2004 08:45:48 -0700 From: Avleen Vig To: Brandon Grace Message-ID: <20040708154548.GU5238@silverwraith.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Spam-Score: -100.0 (---------------------------------------------------) X-Spam-Report: Spam detection software, running on the system "keylime.silverwraith.com", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.Graceusers shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows not have sudo only su. [...] Content analysis details: (-100.0 points, 5.0 required) pts rule name description -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:45:50 -0000 On Thu, Jul 08, 2004 at 10:29:58AM -0500, Brandon Grace wrote: > I made a mistake setting my shell and have set the root users shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. Two ways. su -m root will su to root but keep you currect shell etc. boot into single user mode, and then change it. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only) From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:48:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F02A16A4CE for ; Thu, 8 Jul 2004 15:48:05 +0000 (GMT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D257C43D2D for ; Thu, 8 Jul 2004 15:48:03 +0000 (GMT) (envelope-from roam@ringlet.net) Received: (qmail 25169 invoked from network); 8 Jul 2004 15:44:20 -0000 Received: from unknown (HELO straylight.m.ringlet.net) (217.75.134.254) by gandalf.online.bg with SMTP; 8 Jul 2004 15:44:20 -0000 Received: (qmail 43943 invoked by uid 1000); 8 Jul 2004 15:47:54 -0000 Date: Thu, 8 Jul 2004 18:47:53 +0300 From: Peter Pentchev To: Brandon Grace Message-ID: <20040708154753.GA799@straylight.m.ringlet.net> Mail-Followup-To: Brandon Grace , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:48:05 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 08, 2004 at 10:29:58AM -0500, Brandon Grace wrote: > I made a mistake setting my shell and have set the root users shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix thi= s. > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. Reboot the machine in single-user mode - press Space or anything but Enter at the spinning loader prompt, then type 'boot -s'. After that, mount the rest of the filesystems (if necessary) by 'mount -a', run 'vipw' (or 'chsh -s /bin/sh root' directly) and fix your mistake. I think this was documented somewhere in the FAQ or the Handbook, but right now I can't find it. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If wishes were fishes, the antecedent of this conditional would be true. --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA7Wyp7Ri2jRYZRVMRApZ5AJwMU/4irLqqLzJRbGYdVJG3p9+EEQCgj4hQ F0k9w6ONNy7NW8a5CGYAFI8= =ux5l -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 15:55:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82B3816A4CE for ; Thu, 8 Jul 2004 15:55:23 +0000 (GMT) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id F413943D3F for ; Thu, 8 Jul 2004 15:55:21 +0000 (GMT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i68FtJ3V049322; Thu, 8 Jul 2004 12:55:19 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i68FtJOD084389; Thu, 8 Jul 2004 12:55:19 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id i68FtJtA084386; Thu, 8 Jul 2004 12:55:19 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) i68FtJqO001668; Thu, 8 Jul 2004 12:55:19 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.11/8.12.11/Submit) id i68FtJ7L001667; Thu, 8 Jul 2004 12:55:19 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Thu, 8 Jul 2004 12:55:19 -0300 From: Fernando Schapachnik To: Brandon Grace Message-ID: <20040708155519.GH1169@bal740r0.mecon.gov.ar> References: <20040708153848.GF1169@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.2.1i X-OS: FreeBSD 4.10 - http://www.freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 15:55:23 -0000 Looks like a bug in the man page: su - root -c id Password: ******** uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) En un mensaje anterior, Brandon Grace escribió: > For some reason su -c relates to "class" not "command" as in linux. I know > about the booting into single user mode also. This happends to be the > primary dns server and our secondary doesn't have the capacity to handle all > the queries. Any other suggestions? > > Thanks in advance. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 19:52:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75A1416A4CE for ; Thu, 8 Jul 2004 19:52:28 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id C228443D39 for ; Thu, 8 Jul 2004 19:52:27 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id C7751119DE; Thu, 8 Jul 2004 21:52:25 +0200 (CEST) Date: Thu, 8 Jul 2004 21:52:25 +0200 From: "Simon L. Nielsen" To: Fernando Schapachnik Message-ID: <20040708195225.GB761@zaphod.nitro.dk> References: <20040708153848.GF1169@bal740r0.mecon.gov.ar> <20040708155519.GH1169@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <20040708155519.GH1169@bal740r0.mecon.gov.ar> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org cc: Brandon Grace Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 19:52:28 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Please don't top post...] On 2004.07.08 12:55:19 -0300, Fernando Schapachnik wrote: > En un mensaje anterior, Brandon Grace escribi=F3: > > For some reason su -c relates to "class" not "command" as in linux. I k= now > > about the booting into single user mode also. This happends to be the > > primary dns server and our secondary doesn't have the capacity to handl= e all > > the queries. Any other suggestions? > > Looks like a bug in the man page: > > su - root -c id > Password: ******** > uid=3D0(root) gid=3D0(wheel) groups=3D0(wheel), 2(kmem), 3(sys), 4(tty), = 5(operator), > 20(staff), 31(guest) No the manual page is correct; what's happening here is that su handles the "- root" arguments, and "-c id" is being passed to root's login shell where -c tells the shell to run the rest of the arguments as run commands. That is, at least the behavior of -c both for sh and tcsh. --=20 Simon L. Nielsen FreeBSD Documentation Team --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA7aX5h9pcDSc1mlERAj1hAKCYFsSlhUo82ag6dDkYMDdNjWv9RQCfc9fu e1do5aGo8/wXPj5mxxAlE4I= =39d9 -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 8 21:23:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93BFF16A4CE for ; Thu, 8 Jul 2004 21:23:41 +0000 (GMT) Received: from relay1.ntu-kpi.kiev.ua (noc.ntu-kpi.kiev.ua [195.245.194.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 328CE43D45 for ; Thu, 8 Jul 2004 21:23:40 +0000 (GMT) (envelope-from taren@el.ntu-kpi.kiev.ua) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id 6522117BE20; Fri, 9 Jul 2004 00:23:38 +0300 (EEST) Received: from doppelganger.el.ntu-kpi.kiev.ua (el.ntu-kpi.kiev.ua [10.255.2.3]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id 3909617BBB2; Fri, 9 Jul 2004 00:23:38 +0300 (EEST) Received: by doppelganger.el.ntu-kpi.kiev.ua (Postfix, from userid 1001) id A7AE61BAF9; Fri, 9 Jul 2004 00:23:37 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by doppelganger.el.ntu-kpi.kiev.ua (Postfix) with ESMTP id 7C0DC1BAF8; Fri, 9 Jul 2004 00:23:37 +0300 (EEST) Date: Fri, 9 Jul 2004 00:23:37 +0300 (EEST) From: "Taras Y. NIZHNIK" To: Brandon Grace In-Reply-To: Message-ID: <20040709002231.U94008@doppelganger.el.ntu-kpi.kiev.ua> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2004 21:23:41 -0000 On Thu, 8 Jul 2004, Brandon Grace wrote: > I made a mistake setting my shell and have set the root users shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. How about 'su -m' ? -- Best regards, Taras Y. NIZHNIK, AKA Taren, XN7211-XTF, TYN-UANIC, TYN1-RIPE From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 05:47:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACBDD16A4CE for ; Fri, 9 Jul 2004 05:47:06 +0000 (GMT) Received: from phoenix.cyber-networks.fr (hermes.cyber-networks.fr [194.98.82.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 811BA43D3F for ; Fri, 9 Jul 2004 05:47:02 +0000 (GMT) (envelope-from jean-pierre.forcioli@cyber-networks.fr) Received: from localhost (localhost [127.0.0.1]) by phoenix.cyber-networks.fr (Postfix) with ESMTP id 00EBD822B for ; Fri, 9 Jul 2004 07:46:54 +0200 (CEST) Received: from localhost ([127.0.0.1]) by localhost (phoenix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16462-02 for ; Fri, 9 Jul 2004 07:46:50 +0200 (CEST) Received: from glenan.cyber-networks.fr (unknown [192.168.3.206]) by phoenix.cyber-networks.fr (Postfix) with SMTP id 06C3E821C for ; Fri, 9 Jul 2004 07:46:50 +0200 (CEST) Received: from 127.0.0.1 by glenan.cyber-networks.fr (InterScan E-Mail VirusWall NT); Fri, 09 Jul 2004 07:53:26 +0200 Received: id ; Fri, 09 Jul 2004 07:34:58 +0200 From: Jean-Pierre FORCIOLI To: freebsd-security@freebsd.org In-Reply-To: <20040709002231.U94008@doppelganger.el.ntu-kpi.kiev.ua> References: <20040709002231.U94008@doppelganger.el.ntu-kpi.kiev.ua> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-oLL4nkW6vSiHXSKQChCW" Organization: CYBER NETWORKS Message-ID: Mime-Version: 1.0 Date: Fri, 09 Jul 2004 07:46:57 +0200 Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jean-pierre.forcioli@cyber-networks.fr List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 05:47:06 -0000 --=-oLL4nkW6vSiHXSKQChCW Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-07-08 at 23:23, Taras Y. NIZHNIK wrote: > On Thu, 8 Jul 2004, Brandon Grace wrote: > > I made a mistake setting my shell and have set the root users shell to > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix t= his. > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. > How about 'su -m' ? "su -m" will be a solution only if "/bin/bash" is a valid shell and the caller is root : "The invoked shell is your login shell, and no directory changes are made. As a security precaution, if the target user's shell is a non-standard shell (as defined by getusershell(3)) and the caller's real uid is non-zero, su will fail." But apparently, Brandon can't login anymore with "root" account because "/bin/bash" doesn't exist (so isn't a valid shell...). --=20 Jean-Pierre FORCIOLI OpenPGP: 1024D/CF173713 Cyber Networks http://www.cyber-networks.fr/ Tl : +33 (0)1 42 04 95 89 Fax : +33 (0)1 42 04 95 87 --=-oLL4nkW6vSiHXSKQChCW Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA7jFQaKwq8c8XNxMRAivrAJ4kIX759foMlTISJePcQ5wccee+iACgui6t 4ET+DgqT/rzCJ07J/vR1R2Y= =Zh71 -----END PGP SIGNATURE----- --=-oLL4nkW6vSiHXSKQChCW-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 09:58:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2D7516A4CE for ; Fri, 9 Jul 2004 09:58:39 +0000 (GMT) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6616343D39 for ; Fri, 9 Jul 2004 09:58:38 +0000 (GMT) (envelope-from anders@kommandoraden.info) Received: from mail.kommandoraden.info ([213.115.44.73] [213.115.44.73]) by mxfep01.bredband.com with ESMTP <20040709095836.XBQS3131.mxfep01.bredband.com@mail.kommandoraden.info> for ; Fri, 9 Jul 2004 11:58:36 +0200 Received: from oden.local (oden [172.16.0.2]) by mail.kommandoraden.info (Postfix) with ESMTP id 6358C1544E for ; Fri, 9 Jul 2004 11:58:36 +0200 (CEST) From: Anders Dahlqvist To: freebsd-security@freebsd.org Date: Fri, 9 Jul 2004 11:58:35 +0200 User-Agent: KMail/1.6.2 References: In-Reply-To: MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407091158.35803.anders@kommandoraden.info> Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 09:58:40 -0000 torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: > I made a mistake setting my shell and have set the root users shell to > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ...and I gather that "su - toor" doesn't work either for some reason or other? From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 10:33:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B13B716A4CE for ; Fri, 9 Jul 2004 10:33:43 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 143E843D48 for ; Fri, 9 Jul 2004 10:33:43 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 4388 invoked by uid 1001); 9 Jul 2004 10:33:42 -0000 Date: Fri, 9 Jul 2004 06:33:42 -0400 From: "Peter C. Lai" To: Anders Dahlqvist Message-ID: <20040709103342.GA2842@cowbert.net> References: <200407091158.35803.anders@kommandoraden.info> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200407091158.35803.anders@kommandoraden.info> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 10:33:43 -0000 On Fri, Jul 09, 2004 at 11:58:35AM +0200, Anders Dahlqvist wrote: > torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: > > I made a mistake setting my shell and have set the root users shell to > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > ...and I gather that "su - toor" doesn't work either for some reason or other? toor has a disabled (*) password by default. What Brannon should have done was set a password for toor in the beginning, without mucking around with root's shell. But as a rule of thumb, you're probably superuser way too much if you develop an urge to change it shell anyway. From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 16:55:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 823D516A4CE for ; Fri, 9 Jul 2004 16:55:40 +0000 (GMT) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7524D43D45 for ; Fri, 9 Jul 2004 16:55:40 +0000 (GMT) (envelope-from marquis@roble.com) Received: from localhost (localhost [127.0.0.1]) by mx5.roble.com (Postfix) with ESMTP id 2799D2C1CC for ; Fri, 9 Jul 2004 09:55:40 -0700 (PDT) Date: Fri, 9 Jul 2004 09:55:40 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20040709120136.22FD216A4D1@hub.freebsd.org> References: <20040709120136.22FD216A4D1@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20040709165540.2799D2C1CC@mx5.roble.com> Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 16:55:40 -0000 "Peter C. Lai" wrote: > as a rule of thumb, you're probably superuser way too much if you > develop an urge to change it shell anyway. Where do people come up with these folk "rules"? I spend all day working in various root shells as part of my job. Couldn't do it otherwise. > toor has a disabled (*) password by default. What Brannon should have done was > set a password for toor in the beginning, without mucking around with root's > shell. In 8 years of BSD administration I've never seen the toor account used. IMO, as a matter of security, KIS, and for improved cross-platform compatibility it should be removed from the distribution. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 19:18:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA61D16A4CE for ; Fri, 9 Jul 2004 19:18:57 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A28643D5A for ; Fri, 9 Jul 2004 19:18:57 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from acropolis.argolis.org ([68.84.142.193]) by comcast.net (sccrmhc11) with ESMTP id <20040709191855011009kaove>; Fri, 9 Jul 2004 19:18:56 +0000 Received: from acropolis.argolis.org (localhost [127.0.0.1]) i69JIo47013312; Fri, 9 Jul 2004 15:18:55 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)i69JInYQ013309; Fri, 9 Jul 2004 15:18:49 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing -bs Date: Fri, 9 Jul 2004 15:18:49 -0400 (EDT) From: Matt Piechota To: Roger Marquis In-Reply-To: <20040709165540.2799D2C1CC@mx5.roble.com> Message-ID: <20040709150227.P3496@acropolis.argolis.org> References: <20040709120136.22FD216A4D1@hub.freebsd.org> <20040709165540.2799D2C1CC@mx5.roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 19:18:57 -0000 On Fri, 9 Jul 2004, Roger Marquis wrote: > Where do people come up with these folk "rules"? I spend all day > working in various root shells as part of my job. Couldn't do it > otherwise. It depends on what type of work you're doing, I suppose. The idea is you should only use root for things that are absolutely necessary. In theory, you should read man pages, investigate everything, and pull up a second shell as root just it issue commands with it. The reasoning is if there's a bug in a program (like man, or lynx, netscape) you could hose the whole system up if you're root (or get it infected). On the less paranoid side, a mistype as root could have rather bad consequences. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:11:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E07B16A4CE for ; Fri, 9 Jul 2004 20:11:29 +0000 (GMT) Received: from islet.dsl.unixan.com (islet.dsl.unixan.com [206.124.137.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF33F43D1F for ; Fri, 9 Jul 2004 20:11:28 +0000 (GMT) (envelope-from djb@unixan.com) Received: from mesa.dsl.unixan.com (djb@mesa.dsl.unixan.com [206.124.137.18]) by islet.dsl.unixan.com (8.12.11/8.12.11) with SMTP id i69KBQ7L001827; Fri, 9 Jul 2004 13:11:26 -0700 (PDT) (envelope-from djb@unixan.com) Date: Fri, 9 Jul 2004 13:11:26 -0700 From: Daniel Brown To: "Peter C. Lai" Message-Id: <20040709131126.3b8d6d7b.djb@unixan.com> In-Reply-To: <20040709103342.GA2842@cowbert.net> References: <200407091158.35803.anders@kommandoraden.info> <20040709103342.GA2842@cowbert.net> X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i686-pc-linux-gnu) X-Face: ".E)>Dp:mHJC%; _j&|O(iET^Y#v)'R,3Th)?un#2[`x7J&@ClPD0?MlzHBP61gci=t1G!Jf8V9r+nMFv:GX&}5R2YZ@lzKO_S5,^.!^<^OijwA[0*`cfC'.Ft7-qcuK4^-Cu X-Face-Credit: Saviour Machine; www.saviourmachine.com X-Frustrated-Since: 999302400 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:11:29 -0000 Wrote Peter C. Lai: > On Fri, Jul 09, 2004 at 11:58:35AM +0200, Anders Dahlqvist wrote: > > torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: > > > I made a mistake setting my shell and have set the root users shell to > > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. > > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. > > > > ...and I gather that "su - toor" doesn't work either for some reason or other? > > toor has a disabled (*) password by default. What Brannon should have done was > set a password for toor in the beginning, without mucking around with root's > shell. But as a rule of thumb, you're probably superuser way too much if you > develop an urge to change it shell anyway. Some of us either have to do extensive work as root (I myself extensively use shell programming on the command line -- which is not easy nor sensible in either csh or tcsh), or find it extremely annoying to use the least favorite shell during an emergency. On the other hand, I've run across a sysadmin who always enables his toor accounts -- and changes its shell to bash. As a result, not only is there an alternate root account (good in case 'root' trampled on by accident or purpose), but you can get root bash as a login shell while leaving the real root to its normal shell. Since then I've adopted this tip on the BSD system I run. -Daniel From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:24:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4645416A4CE for ; Fri, 9 Jul 2004 20:24:32 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E99F43D3F for ; Fri, 9 Jul 2004 20:24:31 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1Bj1xH-000CaO-3d for freebsd-security@freebsd.org; Fri, 09 Jul 2004 21:26:47 +0100 Date: Fri, 9 Jul 2004 21:26:40 +0100 From: "Craig Edwards" To: "freebsd-security@freebsd.org" Organization: Crypt Software X-mailer: Foxmail 5.0 beta2 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "neuron.brainbox.winbot.co.uk", hasmessageblock similar future email. If you have any questions, see brain@winbot.co.uk for details.linux, and as soon as i found the toor account i deleted it after research deciding that having two uid 0 accounts on my system was a really really bad idea. I guess there are times when its good to have a second account with its usefulness. In most compile steps, only one phase of the compile requires root (make install), which cuts down greatly the amount of time you spend as a superuser, and the amount of damage you can do (accidentally or otherwise). [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description -------------------------------------------------- 0.0 TO_ADDRESS_EQ_REAL To: repeats address as real name Subject: Re: Re: Root users shell == no existant shell /bin/bash X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:24:32 -0000 i'm relatively new to freebsd, having moved from linux, and as soon as i found the toor account i deleted it after research deciding that having two uid 0 accounts on my system was a really really bad idea. I guess there are times when its good to have a backup, but then you have to weigh up the costs of auditing that second account with its usefulness. In most compile steps, only one phase of the compile requires root (make install), which cuts down greatly the amount of time you spend as a superuser, and the amount of damage you can do (accidentally or otherwise). Thanks, Craig >Wrote Peter C. Lai: > >> On Fri, Jul 09, 2004 at 11:58:35AM +0200, Anders Dahlqvist wrote: >> > torsdagen den 8 juli 2004 17.29 skrev Brandon Grace: >> > > I made a mistake setting my shell and have set the root users shell to >> > > /bin/bash instead of /bin/sh. I am curiuos if anyone knows how to fix this. >> > > The machines is FreeBSD 4.8-RELEASE-p4 and does not have sudo only su. >> > >> > ...and I gather that "su - toor" doesn't work either for some reason or other? >> >> toor has a disabled (*) password by default. What Brannon should have done was >> set a password for toor in the beginning, without mucking around with root's >> shell. But as a rule of thumb, you're probably superuser way too much if you >> develop an urge to change it shell anyway. > >Some of us either have to do extensive work as root (I myself >extensively use shell programming on the command line -- which is not >easy nor sensible in either csh or tcsh), or find it extremely >annoying to use the least favorite shell during an emergency. > >On the other hand, I've run across a sysadmin who always enables his >toor accounts -- and changes its shell to bash. As a result, not only >is there an alternate root account (good in case 'root' trampled on by >accident or purpose), but you can get root bash as a login shell while >leaving the real root to its normal shell. > >Since then I've adopted this tip on the BSD system I run. > > -Daniel >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:38:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62AB016A4CE for ; Fri, 9 Jul 2004 20:38:50 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D08043D66 for ; Fri, 9 Jul 2004 20:38:50 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 40A773D34; Fri, 9 Jul 2004 16:38:49 -0400 (EDT) From: "Dan Langille" To: Daniel Brown Date: Fri, 09 Jul 2004 16:38:49 -0400 MIME-Version: 1.0 Message-ID: <40EECA19.3925.EDD9BBEB@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.12a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body cc: freebsd-security@freebsd.org Subject: bash as a login shell (was Root users shell == no existant shell /bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:38:50 -0000 On 9 Jul 2004 at 13:11, Daniel Brown wrote: > On the other hand, I've run across a sysadmin who always enables his > toor accounts -- and changes its shell to bash. As a result, not only > is there an alternate root account (good in case 'root' trampled on by > accident or purpose), but you can get root bash as a login shell while > leaving the real root to its normal shell. This make it sound like you find it very bothersome to login and type 'bash' (or whatever), to give yourself the shell you want. Is that so? -- Dan Langille : http://www.langille.org/ From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:44:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DDBF16A4CE for ; Fri, 9 Jul 2004 20:44:37 +0000 (GMT) Received: from lili.theplanet.com (spooling.theplanet.com [69.56.141.4]) by mx1.FreeBSD.org (Postfix) with SMTP id C0FED43D3F for ; Fri, 9 Jul 2004 20:44:36 +0000 (GMT) (envelope-from jlinscott@theplanet.com) Received: (qmail 27589 invoked from network); 9 Jul 2004 20:44:36 -0000 Received: from unknown (HELO mail.theplanet.com) (172.16.214.110) by lili.theplanet.com with SMTP; 9 Jul 2004 20:44:35 -0000 Received: from spyglass.dllstx2.theplanet.com ([12.96.160.84] helo=jjlinscott) by mail.theplanet.com with esmtp (Exim 4.34) id 1Bj2EU-0000zA-Tz; Fri, 09 Jul 2004 15:44:35 -0500 From: "Jacob Linscott" To: "'Dan Langille'" Date: Fri, 9 Jul 2004 15:44:34 -0500 Message-ID: <003901c465f5$8b302e40$30dc10ac@theplanet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <40EECA19.3925.EDD9BBEB@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal cc: freebsd-security@freebsd.org Subject: RE: bash as a login shell (was Root users shell == no existant shell/bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:44:37 -0000 Something I found long ago was adding this line to your root's .cshrc This make it sound like you find it very bothersome to login and type 'bash' (or whatever), to give yourself the shell you want. Is that so? -- Dan Langille : http://www.langille.org/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 20:46:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D164716A4CE for ; Fri, 9 Jul 2004 20:46:23 +0000 (GMT) Received: from lili.theplanet.com (spooling.theplanet.com [69.56.141.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 714D643D45 for ; Fri, 9 Jul 2004 20:46:23 +0000 (GMT) (envelope-from jlinscott@theplanet.com) Received: (qmail 27924 invoked from network); 9 Jul 2004 20:46:23 -0000 Received: from unknown (HELO mail.theplanet.com) (172.16.214.110) by lili.theplanet.com with SMTP; 9 Jul 2004 20:46:22 -0000 Received: from spyglass.dllstx2.theplanet.com ([12.96.160.84] helo=jjlinscott) by mail.theplanet.com with esmtp (Exim 4.34) id 1Bj2GE-0001Db-GO; Fri, 09 Jul 2004 15:46:22 -0500 From: "Jacob Linscott" To: "'Dan Langille'" Date: Fri, 9 Jul 2004 15:46:22 -0500 Message-ID: <003c01c465f5$cb516ac0$30dc10ac@theplanet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <40EECA19.3925.EDD9BBEB@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal cc: freebsd-security@freebsd.org Subject: RE: bash as a login shell (was Root users shell == no existant shell/bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 20:46:23 -0000 Something I found long ago was adding this line to your root's .cshrc [ -x /usr/local/bin/bash ] && exec /usr/local/bin/bash That way you don't have to mess with changing the shell, and yet you get bash on login. This make it sound like you find it very bothersome to login and type 'bash' (or whatever), to give yourself the shell you want. Is that so? From owner-freebsd-security@FreeBSD.ORG Fri Jul 9 21:22:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58AB116A4CE for ; Fri, 9 Jul 2004 21:22:48 +0000 (GMT) Received: from islet.dsl.unixan.com (islet.dsl.unixan.com [206.124.137.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id F36F843D31 for ; Fri, 9 Jul 2004 21:22:47 +0000 (GMT) (envelope-from djb@unixan.com) Received: from mesa.dsl.unixan.com (djb@mesa.dsl.unixan.com [206.124.137.18]) by islet.dsl.unixan.com (8.12.11/8.12.11) with SMTP id i69LMlSR002984; Fri, 9 Jul 2004 14:22:47 -0700 (PDT) (envelope-from djb@unixan.com) Date: Fri, 9 Jul 2004 14:22:46 -0700 From: Daniel Brown To: "Dan Langille" Message-Id: <20040709142246.30a96c9f.djb@unixan.com> In-Reply-To: <40EECA19.3925.EDD9BBEB@localhost> References: <40EECA19.3925.EDD9BBEB@localhost> X-Mailer: Sylpheed version 0.9.10 (GTK+ 1.2.10; i686-pc-linux-gnu) X-Face: ".E)>Dp:mHJC%; _j&|O(iET^Y#v)'R,3Th)?un#2[`x7J&@ClPD0?MlzHBP61gci=t1G!Jf8V9r+nMFv:GX&}5R2YZ@lzKO_S5,^.!^<^OijwA[0*`cfC'.Ft7-qcuK4^-Cu X-Face-Credit: Saviour Machine; www.saviourmachine.com X-Frustrated-Since: 999302400 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: bash as a login shell (was Root users shell == no existant shell /bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2004 21:22:48 -0000 Wrote Dan Langille: > On 9 Jul 2004 at 13:11, Daniel Brown wrote: > > > On the other hand, I've run across a sysadmin who always enables his > > toor accounts -- and changes its shell to bash. As a result, not only > > is there an alternate root account (good in case 'root' trampled on by > > accident or purpose), but you can get root bash as a login shell while > > leaving the real root to its normal shell. > > This make it sound like you find it very bothersome to login and type > 'bash' (or whatever), to give yourself the shell you want. Is that > so? When you prefer to use a shell every single time, then having to type 'bash' is an unnecessary bother every time. This is more so when you work in a group of admins -- some people are less tolerant of manually entering a different shell than others. To be honest, also, it's not always very obvious which shell you log into at first. Just going to the right shell in the first place removes the confusion. -Daniel From owner-freebsd-security@FreeBSD.ORG Sat Jul 10 00:42:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82CC116A4CE for ; Sat, 10 Jul 2004 00:42:12 +0000 (GMT) Received: from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.5.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E9C043D45 for ; Sat, 10 Jul 2004 00:42:12 +0000 (GMT) (envelope-from mspitze1@optonline.net) Received: from bogomips.optonline.net (ool-18bd2db1.dyn.optonline.net [24.189.45.177]) by mta1.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with SMTP id <0I0M00LE61Y3GX@mta1.srv.hcvlny.cv.net> for freebsd-security@freebsd.org; Fri, 09 Jul 2004 20:42:03 -0400 (EDT) Date: Fri, 09 Jul 2004 20:41:57 -0400 From: Marc Spitzer In-reply-to: <20040709142246.30a96c9f.djb@unixan.com> To: freebsd-security@freebsd.org Message-id: <20040709204157.5f1f539f@bogomips.optonline.net> MIME-version: 1.0 X-Mailer: Sylpheed version 0.9.11claws (GTK+ 1.2.10; i386-portbld-freebsd4.10) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT References: <40EECA19.3925.EDD9BBEB@localhost> <20040709142246.30a96c9f.djb@unixan.com> Subject: Re: bash as a login shell (was Root users shell == no existantshell /bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 00:42:12 -0000 On Fri, 09 Jul 2004 14:22:46 -0700 Daniel Brown wrote: > When you prefer to use a shell every single time, then having to type > 'bash' is an unnecessary bother every time. This is more so when you > work in a group of admins -- some people are less tolerant of manually > entering a different shell than others. > > To be honest, also, it's not always very obvious which shell you log > into at first. Just going to the right shell in the first place > removes the confusion. ok, but when was bash declared the right shell for the job? marc From owner-freebsd-security@FreeBSD.ORG Sat Jul 10 00:57:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6179C16A4CE for ; Sat, 10 Jul 2004 00:57:30 +0000 (GMT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20D5343D41 for ; Sat, 10 Jul 2004 00:57:30 +0000 (GMT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 32991 invoked by uid 1000); 10 Jul 2004 00:57:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Jul 2004 00:57:29 -0000 Date: Fri, 9 Jul 2004 17:57:27 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20040709204157.5f1f539f@bogomips.optonline.net> Message-ID: <20040709174707.K45935@walter> References: <40EECA19.3925.EDD9BBEB@localhost> <20040709142246.30a96c9f.djb@unixan.com> <20040709204157.5f1f539f@bogomips.optonline.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: bash as a login shell (was Root users shell == no existantshell /bin/bash) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 00:57:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > To be honest, also, it's not always very obvious which shell you log > > into at first. Just going to the right shell in the first place > > removes the confusion. > > ok, but when was bash declared the right shell for the job? Please please please let's not get into this. 1) the original poster is screwed - sorry dude, you'll have to shutdown. 2) different people have different styles of adminning, each with different good and bad points. while there is some merrit in having that discussion, most people are pretty firm in their opinions and it's probably not worth it. 3) different people like different shells - okay, whatever. the only possibly interesting thing that came up in this thread was the idea of removing the "toor" account. personally, I'd be for it. since the account is locked by default, anyone who wants to use it has to set it up. but since anyone who would know enough to want to use that style of adminning and set it up could just as easily recreate the account "from scratch" (it's about ten keystrokes any way you do it), then I don't see that much benefit to including it, especially since it's not very popular anymore anyway. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFA7z75swXMWWtptckRAlEWAKCSlQ6t29fnjvEQ3p/CrXPI+7SsngCfSDvB y2uka2wbU68BJLl6V2ejzcU= =8zBK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Jul 10 16:34:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5812C16A4CE for ; Sat, 10 Jul 2004 16:34:59 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FA7F43D3F for ; Sat, 10 Jul 2004 16:34:58 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.12.11) with ESMTP id i6AGYvgw022157 for ; Sat, 10 Jul 2004 12:34:57 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.12.11/Submit) id i6AGYvv1022156 for freebsd-security@freebsd.org; Sat, 10 Jul 2004 12:34:57 -0400 (EDT) (envelope-from bv) Date: Sat, 10 Jul 2004 12:34:57 -0400 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20040710163457.GD21011@wjv.com> References: <20040710120104.88C8116A4E2@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040710120104.88C8116A4E2@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i Subject: Re: Root users shell X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 16:34:59 -0000 > Message: 1 > Date: Fri, 9 Jul 2004 09:55:40 -0700 (PDT) > From: Roger Marquis > Subject: Re: Root users shell == no existant shell /bin/bash > To: freebsd-security@freebsd.org > Message-ID: <20040709165540.2799D2C1CC@mx5.roble.com> > Content-Type: TEXT/PLAIN; charset=US-ASCII > "Peter C. Lai" wrote: > > as a rule of thumb, you're probably superuser way too much if you > > develop an urge to change it shell anyway. > Where do people come up with these folk "rules"? I spend all day > working in various root shells as part of my job. Couldn't do it > otherwise. > > toor has a disabled (*) password by default. What Brannon > > should have done was set a password for toor in the beginning, > > without mucking around with root's shell. > In 8 years of BSD administration I've never seen the toor > account used. IMO, as a matter of security, KIS, and for > improved cross-platform compatibility it should be removed from > the distribution. I've used it a few times. Since about 1996 I've used the ksh as the default root shell on all Unix systems I've admined - commercial distributions and FreeBSD. I also set up the commericial Unixen to same way FreeBSD does, with /root being the owners home directory instead of /. It's one more little thing that can help prevent a mistype from removing critical files, by accident, or if there is more than one person with root access. Having *toor* with the default /bin/sh came in handy. Something in the gnu tools had changed and I was having a bizarre failure on building a port. Logging out and back in under *toor* showed there was an incompatibility between the current Gnu approach and the ksh I was running. A quick upgrade to the current sources from AT&T/David Korn fixed that. Having an alternate and simple shell can be handy. I've not had to use toor very often. And I've used the live-CD - #2 CD - twice. But it was a lifesaver both times. I moved the ISP I was working for in 1995 completely off the SGI Challenge servers and the multi $K netscape commercial product to FreeBSD and Apache in 1996. Far more speed on platforms that weren't as powerful. I don't see anything more insecure with having both a root and toor account. And I've had exactly ONE security breech. I had missed ONE machine on a telnet upgrade - late 1990s. I caught it within hours ot the daily security email. I keep them as tight as I can as I'm on a 10Gbps backbone - but I've never removed toor. But that's just my approach. Bill -- Bill Vermillion - bv @ wjv . com