1 |
On 28-Jul-04, at 2:47 PM, Mike Frysinger wrote: |
2 |
|
3 |
> On Wednesday 28 July 2004 02:33 pm, Klaus Wagner wrote: |
4 |
>>> # /emerge/.profile |
5 |
>>> if [ "`echo " $(who) "|grep "^\ $(whoami)\ "`" != "" ]; then |
6 |
>>> echo "Only login via 'su' permitted." >&2 |
7 |
>>> exit 1 |
8 |
>>> fi |
9 |
>> keep in mind that if emerge user has write access to it's homedir |
10 |
>> (which is quite normal and needed by much applikations) the emerge |
11 |
>> user could easily change (replace) it's own .profile even if it has no |
12 |
>> write permissions to it. |
13 |
> |
14 |
> yep, and you could, in theory, CTRL+C the check couldnt you ? |
15 |
> probably only happen on a very heavily loaded box ... but that's not |
16 |
> something |
17 |
> i'd bet security on ;) |
18 |
> |
19 |
|
20 |
Yes, and that script also assumes that the users' shell reads (and |
21 |
honors) that .profile file, can execute the binaries in question, and |
22 |
can also subshell to perform that check. In some cases restricted |
23 |
shells might not be able to do this, and therefore the if would return |
24 |
false, and they would have access regardless ;) |
25 |
|
26 |
Mark |
27 |
|
28 |
|
29 |
-- |
30 |
gentoo-security@g.o mailing list |