[987] in linux-security and linux-alert archive
[linux-security] xdm sessions still work with bad shell.
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Fri Aug 2 17:20:36 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 1 Aug 1996 20:10:37 +0200 (MET DST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
I just found the following. It does exactly what -==I==-- want it to
do, but I can also imagine that this is NOT what you want.
I have a user with a "bad shell" (/bin/false). I cannot telnet, rlogin
or FTP into the machine. However with a valid .xsession, I can login
to xdm.
With the Default RedHat fvwm config, I can then run xterms, which are
started with "-e /bin/bash", so they don't look at the shell in
/etc/passwd. rxvt is configured to use the shell in the password file
so that it exits immediately.
To lock a user out of a system it is not sufficient to give the user
an invalid shell. If a user can get an xdm (X -query <host>) login
screen, this is easily subverted.
Roger.