Date: Wed, 2 Apr 1997 15:52:02 -0600 (CST) From: "Lee Crites (AEI)" <leec@adam.adonai.net> To: Wes Peters - Softweyr LLC <softweyr@xmission.com> Cc: questions@freebsd.org Subject: Re: Users with no shells Message-ID: <Pine.BSF.3.95.970402154120.26495A-100000@adam.adonai.net> In-Reply-To: <199704022105.OAA24533@xmission.xmission.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2 Apr 1997, Wes Peters - Softweyr LLC wrote:
=>One of the general rules of security is to tell the user who is
=>potentially abusing your system *absolutely nothing.* This is why the
=>UNIX login process doesn't say "Invalid username, bonehead!" or "You
=>blew your password, you meathead!" If you tell the attacker that this
=>account exists but isn't allowed to login, he may have gained
=>information useful to him.
Good point...
=>This allows a user who can ftp put but not login to put a .nologin.script
=>file that starts a shell, thus granting him a login.
I am sure there are holes in this. You might have found one big one.
I just tried to ftp to the user I was testing the scripts with, and as
soon as I entered the user name, I got back:
530 User xxxxxx access denied.
Login failed.
Remote system type is UNIX.
Would a compiled program be more secure than scripts? I'm sort of
leaning in that direction because you can't 'read' an executable like
you can a script.
=>logger(1).
Right there in front of my face all along. I'd even printed this man
page out. I've got lots of programming and installation experience, but
am still trying to get a firm handle on the whold s.a. gig...
=>You might want to read a bit about securing your system before running
=>off down this path. I recommend Rik Farrow's book, as well as the
=>Simpson and Garfinkle book, as a minimum. Securing your system is
How about the titles. I've got several sysadmin type books and none of
them are by any of the above.
Lee
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970402154120.26495A-100000>