Path: utzoo!attcan!uunet!nih-csl!lhc!mimsy!midway!ux1.cso.uiuc.edu!news.cs.indiana.edu!maytag!watmath!mks.com!femto!eric From: eric@femto.mks.com (Eric Gisin) Newsgroups: comp.unix.sysv386 Subject: Re: security of Interactive powerdown login Message-ID: Date: 12 Nov 90 18:14:35 GMT References: <1990Nov9.212510.9086@mks.com> <1990Nov10.132459.10900@virtech.uucp> Sender: eric@mks.com (Eric Gisin) Organization: Mortice Kern Systems Inc., Waterloo, Ontario, CANADA Lines: 28 In-Reply-To: cpcahil@virtech.uucp's message of 10 Nov 90 13:24:59 GMT In article <1990Nov10.132459.10900@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: In article <1990Nov9.212510.9086@mks.com> eric@mks.com (Eric Gisin) writes: >If you want a more secure password-less powerdown userid >and you have Interactive 2.2, you can change the shell for powerdown >to /usr/admin/powerdown and add the following lines to the top of >the /usr/admin/powerdown shell script: NEVER NEVER NEVER have a root account without a password. There are too many chances for it to be exploited. Look at what could happen: cpcahil(virtech,61): id uid=100(cpcahil) gid=7(opadmin) cpcahil(virtech,63): su powerdown # id uid=0(root) gid=0(root) Oops, I meant to give a two part fix. First change /usr/admin/powerdown into an executable shell script that sets a secure PATH and IFS. But I forgot the second part, change the shell in /etc/passwd from /bin/rsh to /usr/admin/powerdown. This avoids "su powerdown" problem. There is still the issue of allowing users to run a shell script as root, either through password-less root accounts or setuid shell scripts. Is it considered a bad idea even for simple shell scripts? Is setting a secure PATH/IFS and being careful with eval and `...` enough?