From owner-freebsd-questions Wed Jan 23 8: 7: 4 2002 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id EC38537B400; Wed, 23 Jan 2002 08:07:01 -0800 (PST) Received: (from dan@localhost) by dan.emsphone.com (8.11.6/8.11.6) id g0NG70267338; Wed, 23 Jan 2002 10:07:00 -0600 (CST) (envelope-from dan) Date: Wed, 23 Jan 2002 10:06:59 -0600 From: Dan Nelson To: "Crist J . Clark" Cc: parv , Cliff Sarginson , f-q Subject: Re: is /usr/bin/passwd advisable as a login shell for ftp only users? Message-ID: <20020123160659.GM44873@dan.emsphone.com> References: <20020123035805.GA92721@moo.holy.cow> <20020123041706.GH1345@raggedclown.net> <20020123061342.GA92756@moo.holy.cow> <20020123040114.H83184@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020123040114.H83184@blossom.cjclark.org> User-Agent: Mutt/1.3.25i X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (Jan 23), Crist J . Clark said: > On Wed, Jan 23, 2002 at 01:13:42AM -0500, parv wrote: > > [snip] > > > i didn't think of the "suid" bit, but was well aware that passwd has > > access to the passwd database. > > Actually, that's not the big security risk. The primary risk is that > you give the world pretty much open access to try to brute force the > password with a dictionary attack and no alarms will go off. Well, no. :) You have to log in with the correct password before the system will launch $SHELL, and a non-root user can only change their own password (which they just entered in order to log in). -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message