home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!charon.amdahl.com!pacbell.com!sgiblab!zaphod.mps.ohio-state.edu!cs.utexas.edu!sun-barr!olivea!sgigate!sgi!rhyolite!vjs
- From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
- Newsgroups: comp.sys.sgi
- Subject: Re: Net Services and backdoors
- Message-ID: <shabbi4@rhyolite.wpd.sgi.com>
- Date: 18 Nov 92 18:32:55 GMT
- References: <1992Nov18.162916.12717@tamsun.tamu.edu>
- Organization: Silicon Graphics, Inc. Mountain View, CA
- Lines: 39
-
- In article <1992Nov18.162916.12717@tamsun.tamu.edu>, bpb9204@tamsun.tamu.edu (Brent) writes:
- > Hello, all.
- >
- > We have a lab with SGIs, RS6Ks, and Suns, and some of the machines
- > have subtle network software problems. Fortunately, I've been
- > able to track down all the problems (except for mail).
- >
- > One minor problem was that you could not "finger @machine" because
- > finger would print "connection refused." This simple problem boiled
- > down to "machine" (an SGI) running fingerd as user "guest." Guest
- > was a nonexistent user on the system. I edited /usr/etc/inetd.conf
- > to change the finger entry to run as root.
- >
- > Now my main question. Which of these network services do you NOT
- > want to run as root? Does finger have any backdoors or other holes
- > into the system?
- >
- > Is there documentation someplace about which network services can
- > spawn shells or otherwise allow somebody access to your system
- > (by not using telnet/rlogin)?
- >
- > I'd appreciate any comments you may think of.
-
-
- There are no known security problems with the IRIX fingerd, but
- the same could have no doubt been said about fingerd for VAX's
- and Sun's in 1986. Remember the "worm"?
-
- It is not generally a good idea to run programs with more permission
- than they need.
-
- Instead of removing the "guest" entry from /etc/passwd, I would
- make it present but unusable:
-
- guest:off:998:998:Guest Account:/dev/null:/bin/true
-
-
-
- Vernon Schryver, vjs@sgi.com
-
