Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: any reason for a user without a homedir - security/config/application?
Top Forums UNIX for Advanced & Expert Users any reason for a user without a homedir - security/config/application? Post 302194388 by Smiling Dragon on Monday 12th of May 2008 09:05:07 PM
Old 05-12-2008
Quote:
Originally Posted by frozentin
You could assign /tmp as the home dir for these users. I always feel a little queasy about putting somebody in "/", lest they also have sudo permissions, and (even unknowingly) cause major trouble.
I'm not such a fan of /tmp, it creates a fairly large security vulnerability; Imagine that you are a user on a solaris system where you know some users have homedirs set to /tmp. Now imagine that the server has been recently restarted and /tmp is pristine and empty and you are a somewhat mischevious sort.
Createing /tmp/.ssh won't get you very far as ssh perfoms a number of integrity checks to protect you from sneakyness here, but think about .Xauthority files for instance, I could create an xauth cookie that I know, then put an Xauthority file in /tmp and wait for a user to log in. They'd potentially 'reuse' our version of the cookie and allow us to gain control of their screen, keyboard and mouse. Alternativly, one could create a profile, .login, .cshrc, .bashrc or .kshrc that does a bunch of evil things as/to the user logging in.
Even worse/funnier they would be unable to remove or alter these files so they couldn't even fix it themselves if they noticed.

Why would sudo be affected by the homedir?
 

6 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Help with capturing homedir via ssh and saving to variable

I need to capture the homedir using the ssh command and then saving it to a variable. The results from the following command is what I need to capture to a variable: NOTE: the value I'm getting back is also incorrect. as it seems to be getting the home dir from the local server and not the... (2 Replies)
Discussion started by: reneuend
2 Replies

2. Shell Programming and Scripting

how to send config file to other application

hi.. i have one c++ pgm which run shell script.shell script reads username and password from file.This pgm check username password is correct or not.After checking this i want to send config file of respective user to other application.I made config file also.My problem is how to send this config... (1 Reply)
Discussion started by: shubhig15
1 Replies

3. UNIX and Linux Applications

how to send config file to other application

hi.. i have one c++ pgm which run shell script.shell script reads username and password from file.This pgm check username password is correct or not.After checking this i want to send config file of respective user to other application.I made config file also.My problem is how to send this... (1 Reply)
Discussion started by: shubhig15
1 Replies

4. SuSE

How to config root kde same as user?

Eclipse looks completely different when run under root compared to my user. It's like kde wasn't setup for root upon installation. I'm running Suse 9.3 Pro. How do I configure root kde so that eclipse looks the same when run as user? (3 Replies)
Discussion started by: shwick2
3 Replies

5. UNIX and Linux Applications

postfix config: how to relay mails for only one user of a certain domain

Hello there, First of all I tell you that this is my first postfix installation so please be patient... I have following scenario: fetchmail --> postfix --> amavis-new --> postfix --> exchange 2010. Everything -except exchange ;-)- runs on an opensuse 12.1 box. Now, I have a list of... (0 Replies)
Discussion started by: lpacor
0 Replies

6. Red Hat

Regarding application of security patches RHEL 5.5

Hi Is there a direct way to apply a particular security advisory on the system. Presently we have certain security advisories to be applied which require installation of multiple rpms and their dependencies. These rpms as listed in the security advisory also mention that they have been... (0 Replies)
Discussion started by: Sapanvas
0 Replies

LEARN ABOUT MOJAVE

deallocate

deallocate(1)                                                                                                                        deallocate(1)

NAME

       deallocate - device deallocation

SYNOPSIS

       deallocate [-s] device

       deallocate [-s] [-F] device

       deallocate [-s] -I

       The  deallocate utility deallocates a device allocated to the evoking user. device can be a device defined in  device_allocate(4) or one of
       the device special files associated with the device. It resets the ownership and the permission on all device special files associated with
       device, disabling the user's access to that device. This option can be used by an authorized user to remove access to the device by another
       user. The required authorization is solaris.device.allocate.

       When deallocation or forced deallocation is performed, the appropriate device cleaning program is  executed,  based  on  the   contents  of
       device_allocate(4).  These cleaning programs are normally stored in /etc/security/lib.

       The following options are supported:

       device          Deallocate the device associated with the device special file specified by device.

       -s              Silent. Suppresses any diagnostic output.

       -F device       Forces  deallocation of the device associated with the file specified by device. Only a user with the solaris.device.revoke
                       authorization is permitted to use this option.

       -I              Forces deallocation of all allocatable devices. Only a user with the solaris.device.revoke authorization  is  permitted  to
                       use this option. This option should only be used at system initialization.

       The following exit values are returned:

       non--zero       An error occurred.

       /etc/security/device_allocate

       /etc/security/device_maps

       /etc/security/dev/*

       /etc/security/lib/*

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Availability                 |SUNWcsu                      |
       +-----------------------------+-----------------------------+

       allocate(1), list_devices(1), bsmconv(1M), dminfo(1M), mkdevalloc(1M), mkdevmaps(1M), device_allocate(4), device_maps(4), attributes(5)

       The  functionality  described  in  this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for
       more information.

       /etc/security/dev, mkdevalloc(1M), and mkdevmaps(1M) might not be supported in a future release of the Solaris Operating Environment.

                                                                    28 Mar 2005                                                      deallocate(1)
All times are GMT -4. The time now is 04:36 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy