Running top without a shell -- more questions
Ted Mittelstaedt
tedm at toybox.placo.com
Sun Feb 6 02:16:58 PST 2005
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Anthony
> Atkielski
> Sent: Saturday, February 05, 2005 5:49 PM
> To: freebsd-questions at freebsd.org
> Subject: Re: Running top without a shell -- more questions
>
>
> John writes:
>
> J> No, there are HUGE security concerns. The big problem is that
> J> many things have shell escapes. Top, as far as I know, does not.
>
> But it's shell escapes that generally create the security concerns, no?
No, it depends on the application program. For example, ftp does not
have a shell escape. But if you set up the ftp client program as a
shell prompt for a user account with no password, then anyone and their
dog
could log into your system and send themselves a copy of your password
file. (granted on FreeBSD it wouldn't have the crypted passwords, but
it would have all the userID's so the cracker doesen't have much work
to do)
I've seen a few customers do baloney like this with commercial
UNIX programs. Basically they setup the terminals so that instead
of the users having to give a userID and password to login, the user
just switches on the terminal and bang, the application program
comes up on the screen. The usual piss-ant excuse is that the
users whine about having to remember a username and password. I
sometimes ask them if they have trained their night janitors and
cleaning people on the application or if they just let them learn
by themselves.
Some application programs allow you to issue commands to the UNIX
system even though they might not give you a shell prompt, so you
can see where someone could have some fun.
Ted
More information about the freebsd-questions
mailing list