Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!munnari.oz.au!djh
From: djh@cs.mu.oz.au (David Hornsby)
Newsgroups: comp.protocols.appletalk
Subject: Re: aufs security warning/fix
Message-ID: <5418@munnari.oz.au>
Date: 10 Sep 90 06:56:13 GMT
References: <9009072101.AA15458@orchestra.ecn.purdue.edu>
Organization: Comp Sci, Melbourne Uni, Australia
Lines: 16

From article <9009072101.AA15458@orchestra.ecn.purdue.edu>, by James M Moya:
> Much to my dismay, if you have any UNIX accounts with nothing in the
> /etc/passwd "password" field, you can "connect" to that account ...

With certain provisos, there is another solution that needs no new code.

If your unprotected account has a passwd entry that provides a non-shell
executable and the home directory points somewhere sensible, IE: a dummy
directory for nonhumans (which shouldn't be owned by the dummy account!),
create a .afpvols file with just a blank line.

This works providing that there is a valid global afpvols file. Users of
the unprotected account get to see only the global volumes (which naturally
have the desired permissions to prevent write access etc.).

 - David.