home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.sgi
- Path: sparky!uunet!munnari.oz.au!mips!mips!sgi!rhyolite!vjs
- From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
- Subject: Re: shutdown by user
- Message-ID: <ojsf4ek@rhyolite.wpd.sgi.com>
- Organization: Silicon Graphics, Inc. Mountain View, CA
- References: <2964@accucx.cc.ruu.nl> <o6a8rsk@zuni.esd.sgi.com> <1992Aug13.180112.2505@ctr.com>
- Date: Sat, 15 Aug 1992 15:05:44 GMT
- Lines: 37
-
- In article <1992Aug13.180112.2505@ctr.com>, davids@ctr.com (David Stein) writes:
- > In article <165806INNmgs@agate.berkeley.edu> dasilva@eero.ced.berkeley.edu (Ruieta Da Silva) writes:
- > >
- > >Another way to let anyone shutdown the computer is to create an
- > >account called shutdown and have the .profile or .login
- > >contain 'init 0'.
- > >
- > >the passwd entry would look like:
- > >shutdown::0:0:shutdown:/usr/people/shutdown:/bin/sh
- > >
- > >Deanan
- >
- > This techique leaves a security hole in it when a user
- > uses the su command (ie su shutdown) since by default the
- > .login or .profile is not read by default. Upon su to shutdown
- > the user has superuser privledges, and the system is not halted.
-
-
- True, but that hole does not exist if you use a line like
-
- shutdown:asdfasdf:0:0:shutdown:/:/etc/halt
-
-
- And you need not create any home directories, .login's, etc.
-
- Remember that a "shell" is nothing special. You can use any
- arbitrary program or even script that happens to do what you want
- as the "shell" for a user.
-
- This technique can be used even when the user ultimately needs a
- ordinarly shell, but you first need to do security checking. I think
- this is far more secure than putting such security stuff in .login or
- /etc/profile, and less intrusive.
-
-
-
- Vernon Schryver, vjs@sgi.com
-
