Gentoo Archives: gentoo-security

From: Mark Guertin <guertin@××××××××××××××.com>
To: gentoo-security@l.g.o
Cc: Mike Frysinger <vapier@g.o>
Subject: Re: [gentoo-security] SOLUTION: Prevent users to login directly
Date: Wed, 28 Jul 2004 19:32:05
Message-Id: A62B1A1C-E0CC-11D8-A83D-000A95DC1AB2@brucemaudesign.com
In Reply to: Re: [gentoo-security] SOLUTION: Prevent users to login directly by Mike Frysinger
1 On 28-Jul-04, at 2:47 PM, Mike Frysinger wrote:
2
3 > On Wednesday 28 July 2004 02:33 pm, Klaus Wagner wrote:
4 >>> # /emerge/.profile
5 >>> if [ "`echo " $(who) "|grep "^\ $(whoami)\ "`" != "" ]; then
6 >>> echo "Only login via 'su' permitted." >&2
7 >>> exit 1
8 >>> fi
9 >> keep in mind that if emerge user has write access to it's homedir
10 >> (which is quite normal and needed by much applikations) the emerge
11 >> user could easily change (replace) it's own .profile even if it has no
12 >> write permissions to it.
13 >
14 > yep, and you could, in theory, CTRL+C the check couldnt you ?
15 > probably only happen on a very heavily loaded box ... but that's not
16 > something
17 > i'd bet security on ;)
18 >
19
20 Yes, and that script also assumes that the users' shell reads (and
21 honors) that .profile file, can execute the binaries in question, and
22 can also subshell to perform that check. In some cases restricted
23 shells might not be able to do this, and therefore the if would return
24 false, and they would have access regardless ;)
25
26 Mark
27
28
29 --
30 gentoo-security@g.o mailing list