Bugtraq mailing list archives
Re: Fix for Linux/AIX login hole
From: dsiebert () icaen uiowa edu (Doug Siebert)
Date: Mon, 23 May 1994 13:09:08 -0500
From bugtraq-owner () cscns com Mon May 23 13:04:27 1994 Date: Mon, 23 May 94 10:09:34 -0400 From: "Serge J. Goldstein" <serge () Princeton EDU> To: bugtraq () crimelab COM Subject: Re: Fix for Linux/AIX login hole Sender: bugtraq-owner () Crimelab COM Precedence: bulk
A colleague sent me the following note:
A less painful (for the system modification unaware) way to lock it up on an AIX machine is:
1. Enter SMIT (as root) 2. Follow this path: Security & Users Users Change / Show Characteristics of a User User NAME (enter root) 3. Change "User can RLOGIN" to false 4. Click "Do"
That would be a very poor fix, as it would only keep out people using the hole to access 'root'. rsh machine -l -fbin would still work, and if AIX is like most Unixes, getting access to bin, daemon, or one of the other system users leaves little work left to get root. Plus you can login as any real user on the system, passwords are meaningless. Doug Siebert dsiebert () isca uiowa edu
Current thread:
- Re: Fix for Linux/AIX login hole Serge J. Goldstein (May 23)
- Re: Fix for Linux/AIX login hole Doug McLaren (May 23)
- <Possible follow-ups>
- Re: Fix for Linux/AIX login hole Doug Siebert (May 23)
- Re: Fix for Linux/AIX login hole Christopher Klaus (May 23)
- Re: Fix for Linux/AIX login hole H Morrow Long (May 23)
- Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)
- Re: Fix for Linux/AIX login hole George Boyce (May 24)
- Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)
- Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)