To all interested parties: Anyone interested in getting together for some beer and security type chatting at the Symposium, please drop me and email and we will try to set a time/place for us all to meet. (Although that was *somewhat* security related, I will try to make this a little more worth reading for those who will not be attending) Obbug: I have noticed this on SunOS 4.1.3 running X11R5 and motif 1.2.3. Anyone can get limited (possibly more) access to the system if: -There is a ".xsession" file that is world readable in the root "/" directory (i.e. 644 as usual) -Sync account is left with default passwd entry of "sync::5:1:/:/bin/csh" (i.e. Which is the Sun install default) A user can the login as "sync" on the workstation, and the .xsession file is executed prior to the users login shell of "/bin/sync" Although the "login" will contain no shells, any other tools started by .xsession, such as filemanagers, etc will still function allowing anyone to browse the system, read files, etc... Suggested fix: Simply place an asterix in the passwd field of the sync account which will prevent any "no passwd" logins. I have not explored this extensively, and the risk of this may be more pronouced... I welcome any ideas or thoughs... ================================================================ | Paul A. Watson | Current Assignment: | | System Administrator | USAF 611 OSS/TBX | | Work : (907) 552-7974 | 6900 9th Street, Room 139 | | Home : (907) 274-9026 | Elmendorf AFB, AK 99506 | | Fax : (907) 552-1120 | Anchorage, AK 99501 | | Email: watson@ctis.af.mil. | | ================================================================