Invalidating an /etc/passwd entry (was "Do not use blank lines in /etc/pass")

Andrew Klossner andrew at hammer.TEK.COM
Fri Oct 31 08:13:45 AEST 1986


On invalidating entries in /etc/passwd:

One correspondent spoke of changing the password to something to which
nothing will encrypt.  Another prefers to change the shell to something
which prints a short message of denial then exits.

We do *both*.  Changing the password but leaving the shell intact
allows entry to anyone who is already in or can enter the user's
.rhosts file.  Changing the shell but leaving the password lets anyone
with the password "su" to the account, if your "su" uses the invoker's
shell.  (If your "su" uses the target user's shell, you open a
different but similarly nasty security hole.)

  -=- Andrew Klossner   (decvax!tektronix!tekecs!andrew)       [UUCP]
                        (tekecs!andrew.tektronix at csnet-relay)  [ARPA]



More information about the Comp.unix.wizards mailing list