From owner-freebsd-questions@FreeBSD.ORG Sun Feb 6 10:16:58 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86B0F16A4CE for ; Sun, 6 Feb 2005 10:16:58 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0491643D2D for ; Sun, 6 Feb 2005 10:16:58 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j16AH0j98485 for ; Sun, 6 Feb 2005 02:17:00 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Date: Sun, 6 Feb 2005 02:16:57 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <77133904.20050206024859@wanadoo.fr> Importance: Normal Subject: RE: Running top without a shell -- more questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2005 10:16:58 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Anthony > Atkielski > Sent: Saturday, February 05, 2005 5:49 PM > To: freebsd-questions@freebsd.org > Subject: Re: Running top without a shell -- more questions > > > John writes: > > J> No, there are HUGE security concerns. The big problem is that > J> many things have shell escapes. Top, as far as I know, does not. > > But it's shell escapes that generally create the security concerns, no? No, it depends on the application program. For example, ftp does not have a shell escape. But if you set up the ftp client program as a shell prompt for a user account with no password, then anyone and their dog could log into your system and send themselves a copy of your password file. (granted on FreeBSD it wouldn't have the crypted passwords, but it would have all the userID's so the cracker doesen't have much work to do) I've seen a few customers do baloney like this with commercial UNIX programs. Basically they setup the terminals so that instead of the users having to give a userID and password to login, the user just switches on the terminal and bang, the application program comes up on the screen. The usual piss-ant excuse is that the users whine about having to remember a username and password. I sometimes ask them if they have trained their night janitors and cleaning people on the application or if they just let them learn by themselves. Some application programs allow you to issue commands to the UNIX system even though they might not give you a shell prompt, so you can see where someone could have some fun. Ted