From owner-freebsd-security Tue Apr 3 11:22:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id BEE5637B727; Tue, 3 Apr 2001 11:22:11 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: by bluenugget.net (Postfix, from userid 65534) id A140D1360A; Tue, 3 Apr 2001 11:23:12 -0700 (PDT) To: Kherry Zamore Subject: Re: su change? Message-ID: <986322192.3aca151091d2a@bluenugget.net> Date: Tue, 03 Apr 2001 11:23:12 -0700 (PDT) From: geniusj@bluenugget.net Cc: freebsd-stable@freebsd.org, freebsd-security@freebsd.org References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> In-Reply-To: <005401c0bc63$7cb36650$0202a8c0@majorzoot> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Kherry Zamore : > Just recently my friend locked himself out of his machine by changing > root's > shell to a nonexisting file. The only way he could become root again > was by > rebooting the machine into single user mode and changing it from there. > Now > while I know that its foolish to change root's shell in the first place, > i > don't think this is an acceptable punishment for those that do. > I disagree, anything we can do in su to prevent root access when possibly not wanted is great with me. Besides, if your friend had perhaps used chfn instead of vipw to change his root shell, it *should* have bitched at him if the shell did not exist (i'll have to double check this.) But there are an infinite # of conditionals that we could use in your friend's scenario. Perhaps it would be a better idea if vipw would give a warning if you set the root's shell incorrectly? Cheers, -JD- P.S. DKNJ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message