[linux-elitists] pop/ftp and shell

Heather star@betelgeuse.starshine.org
Wed Mar 29 16:58:35 PST 2000


> Hmm.. so I was thinking that in order to facilitate a few users who need
> pop/ftp and shell access, I would create them two accounts with the same
> user ID with one account set to a shell and one set to /bin/false
> 
> Then telnet on the box is disabled. So that the insecurely accesible
> account cannot attain shell if the password in compromised. Any of you see
> issues with this?
> 
> 
> +++ath
> Derek Vadala, derek@cynicism.com, http://www.cynicism.com/~derek

Yes, someone who is in under control of the shell'd version has the right to
chfn for the other one... 

You'll have to look at your passwd file family of apps to see if it will
control by name or just do the first one or what, but it strikes me as a 
big hole.

When I had to do the same at McAfee, it was easy to create a small scad
of dummy users (just use an alternate skeleton) but one of the skeleton
items was a symlink to a more truly shared directory.  SGID sticky of course.
It was possible to tell who tweaked a file, but not particularly to defend
against them being public.

if I had needed to support the owned permissions also I could have run a
cron job, but these folk were only minimally clued anyway.  Later when I
announced the "public space" as a samba share (with the same IDs of course)
they bought me cases of root beer. 

* Heather




More information about the linux-elitists mailing list