security questions
i just installed a host security checker, tiger (TARA?) which is more or
less along the lines of what i remember from dan farmer's COPS (a loooong
time ago!)
it had a number of complaints about accounts which were disabled but had
valid shells. like this one:
www-data:x:33:33:www-data:/var/www:/bin/sh
why, exactly, is this a security risk? is tiger expecting something along
the lines of:
www-data:x:33:33:www-data:/var/www:
what is the hangup here?
also, i noticed that some accounts which are disabled are given a shell of
/bin/false:
ftp:x:100:65534::/home/ftp:/bin/false
tiger seemed to hate this too. i tried playing around with /bin/false.
can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb
long.
thanks!
pete
Reply to: