[987] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] xdm sessions still work with bad shell.

daemon@ATHENA.MIT.EDU (Rogier Wolff)
Fri Aug 2 17:20:36 1996

To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 1 Aug 1996 20:10:37 +0200 (MET DST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)


I just found the following. It does exactly what -==I==-- want it to
do, but I can also imagine that this is NOT what you want.

I have a user with a "bad shell" (/bin/false). I cannot telnet, rlogin
or FTP into the machine. However with a valid .xsession, I can login
to xdm.

With the Default RedHat fvwm config, I can then run xterms, which are
started with "-e /bin/bash", so they don't look at the shell in
/etc/passwd. rxvt is configured to use the shell in the password file
so that it exits immediately.

To lock a user out of a system it is not sufficient to give the user
an invalid shell. If a user can get an xdm (X -query <host>) login
screen, this is easily subverted.

					Roger.

home help back first fref pref prev next nref lref last post