Path: utzoo!utgpu!news-server.csri.toronto.edu!clyde.concordia.ca!uunet!virtech!cpcahil
From: cpcahil@virtech.uucp (Conor P. Cahill)
Newsgroups: comp.unix.sysv386
Subject: Re: security of Interactive powerdown login
Message-ID: <1990Nov10.132459.10900@virtech.uucp>
Date: 10 Nov 90 13:24:59 GMT
References: <1990Nov9.212510.9086@mks.com>
Reply-To: cpcahil@virtech.UUCP (Conor P. Cahill)
Organization: Virtual Technologies Inc., Sterling VA
Lines: 21

In article <1990Nov9.212510.9086@mks.com> eric@mks.com (Eric Gisin) writes:
>If you want a more secure password-less powerdown userid
>and you have Interactive 2.2, you can change the shell for powerdown
>to /usr/admin/powerdown and add the following lines to the top of
>the /usr/admin/powerdown shell script:

NEVER NEVER NEVER have a root account without a password.  There are too 
many chances for it to be exploited.

Look at what could happen:

	cpcahil(virtech,61): id
	uid=100(cpcahil) gid=7(opadmin)
	cpcahil(virtech,63): su powerdown
	# id
	uid=0(root) gid=0(root)

-- 
Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.,
uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
                                                Sterling, VA 22170