Date: Wed, 23 Jan 2002 05:17:06 +0100 From: Cliff Sarginson <cliff@raggedclown.net> To: f-q <freebsd-questions@freebsd.org> Subject: Re: is /usr/bin/passwd advisable as a login shell for ftp only users? Message-ID: <20020123041706.GH1345@raggedclown.net> In-Reply-To: <20020123035805.GA92721@moo.holy.cow> References: <20020123035805.GA92721@moo.holy.cow>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 22, 2002 at 10:58:05PM -0500, parv wrote: > in a private newsgroup in a discussion about shells, somebody > posted that /usr/bin/passwd is also a potential shell, along w/ sh, > csh, etc. in reply, i thought out loud that that was a blunder > and noted that it's for changing password. > Any program can be a "shell". Just create a password file entry with the program in the shell field. If you are lazy you could have a login called "date", that just calls /bin/date as it's shell. So you type date at the prompt, and there it is :) > in reply to which the other person said that /usr/bin/passwd is not > a blunder for users who have ftp only account. and, when a ftp user > connects to the server -- via ssh or telnet -- they can change their > password. (i assume that after password change user is logged > off.) > Yes, of course. > something tells me that using passwd (as a login shell) is bad > thing, but i cannot come up w/ technical reasons. it seems > to be a security risk waiting to happen. > > is /usr/bin/passwd advisable as a login shell for ftp only users, > for that matter, for anybody? > Well it is a pretty useless shell for an ordinary user... A security risk, probably, most any suid root program is. On the other hand if there is an unkown buffer overflow exploit in passwd we better all pack our bags up and go home .. :) -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020123041706.GH1345>