Date: Sun, 6 Feb 2005 02:16:57 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <freebsd-questions@freebsd.org> Subject: RE: Running top without a shell -- more questions Message-ID: <LOBBIFDAGNMAMLGJJCKNAEEGFAAA.tedm@toybox.placo.com> In-Reply-To: <77133904.20050206024859@wanadoo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Anthony > Atkielski > Sent: Saturday, February 05, 2005 5:49 PM > To: freebsd-questions@freebsd.org > Subject: Re: Running top without a shell -- more questions > > > John writes: > > J> No, there are HUGE security concerns. The big problem is that > J> many things have shell escapes. Top, as far as I know, does not. > > But it's shell escapes that generally create the security concerns, no? No, it depends on the application program. For example, ftp does not have a shell escape. But if you set up the ftp client program as a shell prompt for a user account with no password, then anyone and their dog could log into your system and send themselves a copy of your password file. (granted on FreeBSD it wouldn't have the crypted passwords, but it would have all the userID's so the cracker doesen't have much work to do) I've seen a few customers do baloney like this with commercial UNIX programs. Basically they setup the terminals so that instead of the users having to give a userID and password to login, the user just switches on the terminal and bang, the application program comes up on the screen. The usual piss-ant excuse is that the users whine about having to remember a username and password. I sometimes ask them if they have trained their night janitors and cleaning people on the application or if they just let them learn by themselves. Some application programs allow you to issue commands to the UNIX system even though they might not give you a shell prompt, so you can see where someone could have some fun. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNAEEGFAAA.tedm>