[svlug] Ubuntu 9.04 upgrade]

James Sparenberg james at linuxrebel.org
Sat May 2 16:35:25 PDT 2009


Grant Bowman wrote:
> Hi James,
>
> I'm no security expert, but this URL seems to say that
> /usr/sbin/nologin or cousins like /bin/false aren't much of an
> improvement for real security.  How do other distributions handle
> this?
>
> http://www.semicomplete.com/articles/ssh-security/
>
>   
The rest of them use bin/false or nologin.  One advantage to not giving 
shells to system users is that you can't force yourself into having a 
shell with potentially escalated privilege.  BTW ssh is one of the few 
system users that get false as a shell in Ubuntu.

What they are doing there is creating accounts with /bin/false that DO 
allow authentication, just don't give a shell.  In the case of system 
users they don't allow authentication in the first place.  So you can't 
do the same thing this person is doing.  However if you have a user who 
has an account and wishes to either gain privileges they don't have or 
(to me worse) hide what they are doing by laying a trap for the user(s) 
on an *buntu box so that they trip either a trojan or other problem 
granting me increased priviledge by becoming a user.

No, IMHO one should never rely on /bin/false or /usr/sbin/nologin (or my 
fav. /bin/date) as their only defense.  But to my way of thinking, that 
doesn't mean that you should then head in the opposite direction and 
open the door as wide as *buntu has done.  Remember you don't need to be 
Fort Knox, just tougher than anyone else.  Right now, *buntu has opened 
an exploitable door it would seem and I'd be rather unfriendly if I 
didn't point out the potential for a problem, as I see it.
But don't just take my word for it.  Check out this article from Linux 
Magazine. http://www.linux-mag.com/id/7297 (Warning flash interleave add)

James









More information about the svlug mailing list