From owner-freebsd-security Tue Apr 3 10:43:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from bellona.host4u.net (bellona.host4u.net [216.71.64.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F84837B71A for ; Tue, 3 Apr 2001 10:43:31 -0700 (PDT) (envelope-from ben@eproduct.org) Received: from eproduct.org (calder.textcrime.com [206.97.79.187]) by bellona.host4u.net (8.8.5/8.8.5) with ESMTP id MAA06461; Tue, 3 Apr 2001 12:36:26 -0500 Message-ID: <3ACA0CA4.AA766BAA@eproduct.org> Date: Tue, 03 Apr 2001 12:47:16 -0500 From: ben hubbard X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kherry Zamore , freebsd-security@FreeBSD.ORG Subject: Re: su change? References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Idiot that I am, I did the exact same thing on a new box last week - and was less than pleased with my self, and with su's resulting behavior. so, thanks - me thinks this is good. Ben Kherry Zamore wrote: > Just recently my friend locked himself out of his machine by changing root's > shell to a nonexisting file. The only way he could become root again was by > rebooting the machine into single user mode and changing it from there. Now > while I know that its foolish to change root's shell in the first place, i > don't think this is an acceptable punishment for those that do. > > According to su.c, if the user you are changing to does not have a valid > shell, su complains and exits. A valid thing to do in today's security > conscience society. Now, lets say you want to become root to fix this > invalid shell problem.. su's nature is to complain and exit. The fix is > rather simple, somewhere around line 310 in su.c is: > > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > The only thing we need to prepend to this is a check to see if we are trying > to su to root, which we should allow regardless of the shell specified: > > if (pwd->pw_uid) > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > Patches are available here (tested on 4.1): > http://www.dknj.org/sourcecode/patches/su/ > > -= Kherry Zamore -=- (757) 683-7386 =- > -= Resident Computer & Network Geek/God =- > -= http://www.dknj.org =- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message