[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: noboby with a shell !!

On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote:
> On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
> > Well yes it could :) As long as the user has no valid password it's not very
> > usefull. Take a look into the /etc/shadow and in the second field you'll find
> > ! or * indicating that this user has a invalid password. See man 5 shadow.
> 
> That's hardly true.  If an attacker could somehow create an ssh
> authorized_keys file, they could log in without a password.
and if he can somehow create the non existing home dir.
or if he can somehow change the $HOME ... oh forgot when he has the power to
somehow change the $HOME he can change the $SHELL or if he can edit the
/etc/passwd he's root ... who cares about nobody.

Yeah there are so many side conditions that could happen, what a horror - time
to take the internet offline. *hrhr*

Well at least you shouldn't run all your daemons under one uid. Create one for
the ftpd one for your httpd and so on.

SCNR
Sven
-- 
It really sucks to give your heart to a girl
You want to know her like she knows the whole world
But 10 seconds in, it's obvious, your going nowhere...
[Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Reply to: