Date: Thu, 18 Jul 1996 05:16:54 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: suidness of /usr/bin/login Message-ID: <199607181216.FAA00973@kdat.calpoly.edu> In-Reply-To: <Pine.NEB.3.92.960716003624.8904L-100000@zap.io.org> from "Brian Tao" at Jul 16, 96 00:37:14 am
next in thread | previous in thread | raw e-mail | index | archive | help
> On 16 Jul 1996, Michael Graff wrote: > > > > you can always use ``login foo'' and that is supposed to let someone else > > log in, kinda in mid session and all. > > Hmmm... that's hardly ever done, at least around here. "exec > telnet localhost" would serve the same purpose, I guess. I run all my systems with login mode 500. I also keep su group wheel, but not world executable. My justification for this is that there should only be one legitimate way into the system (telnet/login), making it easier to monitor that one door. I see no reason to leave shell users with any method of switching to another account without reauthenticating themselves. Please note that this policy is used for my ISP's, and yours may vary according to your application. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607181216.FAA00973>