Re: Fix for Linux/AIX login hole

Doug Siebert (dsiebert@icaen.uiowa.edu)
Mon, 23 May 1994 13:09:08 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Doug McLaren: "Re: Fix for Linux/AIX login hole"
Previous message: Karyn Pichnarczyk: "Fix for Linux/AIX login hole"
Maybe in reply to: Karyn Pichnarczyk: "Fix for Linux/AIX login hole"
Next in thread: Christopher Klaus: "Re: Fix for Linux/AIX login hole"

>From bugtraq-owner@cscns.com Mon May 23 13:04:27 1994
>Date: Mon, 23 May 94 10:09:34 -0400
>From: "Serge J. Goldstein" <serge@Princeton.EDU>
>To: bugtraq@crimelab.COM
>Subject: Re: Fix for Linux/AIX login hole
>Sender: bugtraq-owner@Crimelab.COM
>Precedence: bulk


>A colleague sent me the following note:
>> 

>> A less painful (for the system modification unaware) way to lock it up on
>> an AIX machine is:
>> 

>>    1. Enter SMIT (as root)
>>    2. Follow this path:
>>       Security & Users
>>       Users
>>       Change / Show Characteristics of a User
>>       User NAME (enter root)
>>    3. Change "User can RLOGIN" to false
>>    4. Click "Do"
>> 



That would be a very poor fix, as it would only keep out people using the
hole to access 'root'.  rsh machine -l -fbin would still work, and if AIX is
like most Unixes, getting access to bin, daemon, or one of the other system
users leaves little work left to get root.  Plus you can login as any real
user on the system, passwords are meaningless.


Doug Siebert
dsiebert@isca.uiowa.edu

Next message: Doug McLaren: "Re: Fix for Linux/AIX login hole"
Previous message: Karyn Pichnarczyk: "Fix for Linux/AIX login hole"
Maybe in reply to: Karyn Pichnarczyk: "Fix for Linux/AIX login hole"
Next in thread: Christopher Klaus: "Re: Fix for Linux/AIX login hole"