Date: Wed, 23 Jan 2002 10:06:59 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: parv <parv_@yahoo.com>, Cliff Sarginson <cliff@raggedclown.net>, f-q <freebsd-questions@FreeBSD.ORG> Subject: Re: is /usr/bin/passwd advisable as a login shell for ftp only users? Message-ID: <20020123160659.GM44873@dan.emsphone.com> In-Reply-To: <20020123040114.H83184@blossom.cjclark.org> References: <20020123035805.GA92721@moo.holy.cow> <20020123041706.GH1345@raggedclown.net> <20020123061342.GA92756@moo.holy.cow> <20020123040114.H83184@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jan 23), Crist J . Clark said: > On Wed, Jan 23, 2002 at 01:13:42AM -0500, parv wrote: > > [snip] > > > i didn't think of the "suid" bit, but was well aware that passwd has > > access to the passwd database. > > Actually, that's not the big security risk. The primary risk is that > you give the world pretty much open access to try to brute force the > password with a dictionary attack and no alarms will go off. Well, no. :) You have to log in with the correct password before the system will launch $SHELL, and a non-root user can only change their own password (which they just entered in order to log in). -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020123160659.GM44873>