Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Feb 2005 02:16:57 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        <freebsd-questions@freebsd.org>
Subject:   RE: Running top without a shell -- more questions
Message-ID:  <LOBBIFDAGNMAMLGJJCKNAEEGFAAA.tedm@toybox.placo.com>
In-Reply-To: <77133904.20050206024859@wanadoo.fr>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Anthony
> Atkielski
> Sent: Saturday, February 05, 2005 5:49 PM
> To: freebsd-questions@freebsd.org
> Subject: Re: Running top without a shell -- more questions
>
>
> John writes:
>
> J> No, there are HUGE security concerns.  The big problem is that
> J> many things have shell escapes.  Top, as far as I know, does not.
>
> But it's shell escapes that generally create the security concerns, no?

No, it depends on the application program.  For example, ftp does not
have a shell escape.  But if you set up the ftp client program as a
shell prompt for a user account with no password, then anyone and their
dog
could log into your system and send themselves a copy of your password
file.  (granted on FreeBSD it wouldn't have the crypted passwords, but
it would have all the userID's so the cracker doesen't have much work
to do)

I've seen a few customers do baloney like this with commercial
UNIX programs.  Basically they setup the terminals so that instead
of the users having to give a userID and password to login, the user
just switches on the terminal and bang, the application program
comes up on the screen.  The usual piss-ant excuse is that the
users whine about having to remember a username and password.  I
sometimes ask them if they have trained their night janitors and
cleaning people on the application or if they just let them learn
by themselves.

Some application programs allow you to issue commands to the UNIX
system even though they might not give you a shell prompt, so you
can see where someone could have some fun.

Ted



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNAEEGFAAA.tedm>