From owner-freebsd-questions Tue Jan 22 20:17:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id BBBC037B400 for ; Tue, 22 Jan 2002 20:17:08 -0800 (PST) Received: from [212.238.194.207] (helo=tanya.raggedclown.net) by post.mail.nl.demon.net with esmtp (Exim 3.33 #1) id 16TEqR-0003Dd-00 for freebsd-questions@freebsd.org; Wed, 23 Jan 2002 04:17:07 +0000 Received: by tanya.raggedclown.net (tanya.raggedclown.intra, from userid 500) id E1F00118A; Wed, 23 Jan 2002 05:17:06 +0100 (CET) Date: Wed, 23 Jan 2002 05:17:06 +0100 From: Cliff Sarginson To: f-q Subject: Re: is /usr/bin/passwd advisable as a login shell for ftp only users? Message-ID: <20020123041706.GH1345@raggedclown.net> References: <20020123035805.GA92721@moo.holy.cow> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020123035805.GA92721@moo.holy.cow> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 22, 2002 at 10:58:05PM -0500, parv wrote: > in a private newsgroup in a discussion about shells, somebody > posted that /usr/bin/passwd is also a potential shell, along w/ sh, > csh, etc. in reply, i thought out loud that that was a blunder > and noted that it's for changing password. > Any program can be a "shell". Just create a password file entry with the program in the shell field. If you are lazy you could have a login called "date", that just calls /bin/date as it's shell. So you type date at the prompt, and there it is :) > in reply to which the other person said that /usr/bin/passwd is not > a blunder for users who have ftp only account. and, when a ftp user > connects to the server -- via ssh or telnet -- they can change their > password. (i assume that after password change user is logged > off.) > Yes, of course. > something tells me that using passwd (as a login shell) is bad > thing, but i cannot come up w/ technical reasons. it seems > to be a security risk waiting to happen. > > is /usr/bin/passwd advisable as a login shell for ftp only users, > for that matter, for anybody? > Well it is a pretty useless shell for an ordinary user... A security risk, probably, most any suid root program is. On the other hand if there is an unkown buffer overflow exploit in passwd we better all pack our bags up and go home .. :) -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message