Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!apple!agate!ziploc!eps
From: eps@toaster.SFSU.EDU (Eric P. Scott)
Newsgroups: comp.sys.next
Subject: Re: NeXT Login Security Problem
Summary: No it isn't--the orthogonality is intentional and A Good Thing too
Message-ID: <1012@toaster.SFSU.EDU>
Date: 13 Nov 90 06:14:10 GMT
References: <MailManager.658433850.4847.lane@ssrg-next-1.stanford.edu>
Reply-To: eps@cs.SFSU.EDU (Eric P. Scott)
Organization: San Francisco State University
Lines: 57

In article <MailManager.658433850.4847.lane@ssrg-next-1.stanford.edu>
	lane@SUMEX-AIM.STANFORD.EDU (Christopher Lane) writes:
>Steve Hayman (sahayman@iuvax.cs.indiana.edu) sent me a note a week or so ago
>about a security flaw in the NeXT LoginWindow program.  It seems that at
>Steve's site, like our own and others, they put a 'nologin', 'noshell', etc.
>entry for the 'shell' field in the passwd (of the NetInfo/YP master) file for
>(temporarily) defunct users.  However, since LoginWindow doesn't care about
>the shell field, users with bogus shells were still able to login the NeXTs.

"That's not a bug...that's a feature!"

It's also old news.


Here's a more interesting solution:

Put together a NeXT Application to explain to the user why access
has been disabled--you can do this entirely in Interface Builder
if you like.  Be creative!

Then have it launched in place of the Workspace Manager:

# su <username>
% dwrite loginwindow Workspace /full/path/to/program
% ^D

(Yes, this really works!)

For the passwd shell field, set it to run a "get lost" program,
e.g.:


const char sorry[]="\nAccess to this username has been suspended.\n\
Please contact ________ for assistance.\n\n";
main()
{
	if (getppid()!=1) {
		(void)write(2, "Sorry\n", 6);
		_exit(1);
	}
	(void)write(2, sorry, (sizeof sorry)-1);
	(void)sleep(5);
	_exit(1);
}

This will take care of telnet/rlogin sessions.  As long as the
shell doesn't appear in /etc/shells, ftp will be locked out
automatically.  If the user had a .rhosts file, you probably want
to rename it.

Think about how you want to handle incoming mail!

In any case, the problem isn't with the software--it's with the
system administrator not thinking (probably the result of
overeXposure to braindamaged window systems... :-) ).

					-=EPS=-