[linux-elitists] pop/ftp and shell

Derek Vadala derek@cynicism.com
Wed Mar 29 17:41:39 PST 2000


On Wed, 29 Mar 2000, Heather wrote:

> Yes, someone who is in under control of the shell'd version has the right to
> chfn for the other one... 

Right. But that's kind of the idea. I'm not suggesting that generic
accounts with this property be created but rather that individual users
have both accounts, if they need to perform both functions. 

The idea is that you corner off the pop and ftp because they send a
password in clear text. That way if the pop/ftp account is compromised
the damage is somewhat limited (i.e. that account can't be used to
install root kits and the lot).

Of course, making sure these users kept separate passwords is an
issue. The ssh'able account should have full control over the ftp/pop
side.

This can alternatively be done with separate user IDs and the use of
groups and sticky bits. But in my experience that always ends up turning
into a mess for someone at some point.

> You'll have to look at your passwd file family of apps to see if it will
> control by name or just do the first one or what, but it strikes me as a 
> big hole.

Well, since /etc/shadow is indexed by username and not userid it should be
a non-issue for anything that is coded propely. Pop, ftp, ssh, and passwd
all deal fine.

I'm curious as to why it strike you as a big hole? I felt the same way at
first, but I think that's mostly because replicated user IDs has the
historical stigma of being a method used by attackers to create a
secondary root account.

On the other hand safeguarded secondary UID=0 accounts have been used for
years by sysadmins as a precaution against junior admin types changing
root passwords by accident.

> When I had to do the same at McAfee, it was easy to create a small scad
> of dummy users (just use an alternate skeleton) but one of the skeleton
> items was a symlink to a more truly shared directory.  SGID sticky of course.
> It was possible to tell who tweaked a file, but not particularly to defend
> against them being public.

I'm more worried about the compromise of plaintext passwords leading to
the compromise of a shell account. If users who need this functionality
get their e-mail and web page access compromised then it's their problem
as there's no reason they couldn't run Linux (or use ssh tunneling under
Windows).

+++ath
Derek Vadala, derek@cynicism.com, http://www.cynicism.com/~derek





More information about the linux-elitists mailing list