Bugtraq mailing list archives

Re: Fix for Linux/AIX login hole

From: dsiebert () icaen uiowa edu (Doug Siebert)
Date: Mon, 23 May 1994 13:09:08 -0500

From bugtraq-owner () cscns com Mon May 23 13:04:27 1994
Date: Mon, 23 May 94 10:09:34 -0400
From: "Serge J. Goldstein" <serge () Princeton EDU>
To: bugtraq () crimelab COM
Subject: Re: Fix for Linux/AIX login hole
Sender: bugtraq-owner () Crimelab COM
Precedence: bulk

A colleague sent me the following note:

A less painful (for the system modification unaware) way to lock it up on
an AIX machine is:

   1. Enter SMIT (as root)
   2. Follow this path:
      Security & Users
      Users
      Change / Show Characteristics of a User
      User NAME (enter root)
   3. Change "User can RLOGIN" to false
   4. Click "Do"




That would be a very poor fix, as it would only keep out people using the
hole to access 'root'.  rsh machine -l -fbin would still work, and if AIX is
like most Unixes, getting access to bin, daemon, or one of the other system
users leaves little work left to get root.  Plus you can login as any real
user on the system, passwords are meaningless.


Doug Siebert
dsiebert () isca uiowa edu

Current thread:

Re: Fix for Linux/AIX login hole Serge J. Goldstein (May 23)
- Re: Fix for Linux/AIX login hole Doug McLaren (May 23)
- <Possible follow-ups>
- Re: Fix for Linux/AIX login hole Doug Siebert (May 23)
  - Re: Fix for Linux/AIX login hole Christopher Klaus (May 23)
- Re: Fix for Linux/AIX login hole H Morrow Long (May 23)
  - Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)
    - Re: Fix for Linux/AIX login hole George Boyce (May 24)
    - Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)