Date: Tue, 03 Apr 2001 12:47:16 -0500 From: ben hubbard <ben@eproduct.org> To: Kherry Zamore <dknj@dknj.org>, freebsd-security@FreeBSD.ORG Subject: Re: su change? Message-ID: <3ACA0CA4.AA766BAA@eproduct.org> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot>
next in thread | previous in thread | raw e-mail | index | archive | help
Idiot that I am, I did the exact same thing on a new box last week - and was less than pleased with my self, and with su's resulting behavior. so, thanks - me thinks this is good. Ben Kherry Zamore wrote: > Just recently my friend locked himself out of his machine by changing root's > shell to a nonexisting file. The only way he could become root again was by > rebooting the machine into single user mode and changing it from there. Now > while I know that its foolish to change root's shell in the first place, i > don't think this is an acceptable punishment for those that do. > > According to su.c, if the user you are changing to does not have a valid > shell, su complains and exits. A valid thing to do in today's security > conscience society. Now, lets say you want to become root to fix this > invalid shell problem.. su's nature is to complain and exit. The fix is > rather simple, somewhere around line 310 in su.c is: > > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > The only thing we need to prepend to this is a check to see if we are trying > to su to root, which we should allow regardless of the shell specified: > > if (pwd->pw_uid) > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > Patches are available here (tested on 4.1): > http://www.dknj.org/sourcecode/patches/su/ > > -= Kherry Zamore -=- (757) 683-7386 =- > -= Resident Computer & Network Geek/God =- > -= http://www.dknj.org =- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ACA0CA4.AA766BAA>