Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!brl-adm!rutgers!sri-spam!sri-unix!hplabs!tektronix!orca!hammer!andrew
From: andrew@hammer.TEK.COM (Andrew Klossner)
Newsgroups: net.unix-wizards
Subject: Invalidating an /etc/passwd entry (was "Do not use blank lines in /etc/pass")
Message-ID: <2653@hammer.TEK.COM>
Date: Thu, 30-Oct-86 17:13:45 EST
Article-I.D.: hammer.2653
Posted: Thu Oct 30 17:13:45 1986
Date-Received: Mon, 3-Nov-86 23:11:04 EST
References: <4701@brl-smoke.ARPA> <14900043@uiucdcsb>
Organization: Tektronix, Inc., Wilsonville, OR
Lines: 15

On invalidating entries in /etc/passwd:

One correspondent spoke of changing the password to something to which
nothing will encrypt.  Another prefers to change the shell to something
which prints a short message of denial then exits.

We do *both*.  Changing the password but leaving the shell intact
allows entry to anyone who is already in or can enter the user's
.rhosts file.  Changing the shell but leaving the password lets anyone
with the password "su" to the account, if your "su" uses the invoker's
shell.  (If your "su" uses the target user's shell, you open a
different but similarly nasty security hole.)

  -=- Andrew Klossner   (decvax!tektronix!tekecs!andrew)       [UUCP]
                        (tekecs!andrew.tektronix@csnet-relay)  [ARPA]