Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: any reason for a user without a homedir - security/config/application?
Top Forums UNIX for Advanced & Expert Users any reason for a user without a homedir - security/config/application? Post 302194388 by Smiling Dragon on Monday 12th of May 2008 09:05:07 PM
Old 05-12-2008
Quote:
Originally Posted by frozentin
You could assign /tmp as the home dir for these users. I always feel a little queasy about putting somebody in "/", lest they also have sudo permissions, and (even unknowingly) cause major trouble.
I'm not such a fan of /tmp, it creates a fairly large security vulnerability; Imagine that you are a user on a solaris system where you know some users have homedirs set to /tmp. Now imagine that the server has been recently restarted and /tmp is pristine and empty and you are a somewhat mischevious sort.
Createing /tmp/.ssh won't get you very far as ssh perfoms a number of integrity checks to protect you from sneakyness here, but think about .Xauthority files for instance, I could create an xauth cookie that I know, then put an Xauthority file in /tmp and wait for a user to log in. They'd potentially 'reuse' our version of the cookie and allow us to gain control of their screen, keyboard and mouse. Alternativly, one could create a profile, .login, .cshrc, .bashrc or .kshrc that does a bunch of evil things as/to the user logging in.
Even worse/funnier they would be unable to remove or alter these files so they couldn't even fix it themselves if they noticed.

Why would sudo be affected by the homedir?
 

6 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Help with capturing homedir via ssh and saving to variable

I need to capture the homedir using the ssh command and then saving it to a variable. The results from the following command is what I need to capture to a variable: NOTE: the value I'm getting back is also incorrect. as it seems to be getting the home dir from the local server and not the... (2 Replies)
Discussion started by: reneuend
2 Replies

2. Shell Programming and Scripting

how to send config file to other application

hi.. i have one c++ pgm which run shell script.shell script reads username and password from file.This pgm check username password is correct or not.After checking this i want to send config file of respective user to other application.I made config file also.My problem is how to send this config... (1 Reply)
Discussion started by: shubhig15
1 Replies

3. UNIX and Linux Applications

how to send config file to other application

hi.. i have one c++ pgm which run shell script.shell script reads username and password from file.This pgm check username password is correct or not.After checking this i want to send config file of respective user to other application.I made config file also.My problem is how to send this... (1 Reply)
Discussion started by: shubhig15
1 Replies

4. SuSE

How to config root kde same as user?

Eclipse looks completely different when run under root compared to my user. It's like kde wasn't setup for root upon installation. I'm running Suse 9.3 Pro. How do I configure root kde so that eclipse looks the same when run as user? (3 Replies)
Discussion started by: shwick2
3 Replies

5. UNIX and Linux Applications

postfix config: how to relay mails for only one user of a certain domain

Hello there, First of all I tell you that this is my first postfix installation so please be patient... I have following scenario: fetchmail --> postfix --> amavis-new --> postfix --> exchange 2010. Everything -except exchange ;-)- runs on an opensuse 12.1 box. Now, I have a list of... (0 Replies)
Discussion started by: lpacor
0 Replies

6. Red Hat

Regarding application of security patches RHEL 5.5

Hi Is there a direct way to apply a particular security advisory on the system. Presently we have certain security advisories to be applied which require installation of multiple rpms and their dependencies. These rpms as listed in the security advisory also mention that they have been... (0 Replies)
Discussion started by: Sapanvas
0 Replies

LEARN ABOUT DEBIAN

oneuser

ONEUSER(1)					      oneuser(1) -- manages OpenNebula users						ONEUSER(1)

NAME

       oneuser

SYNOPSIS

       oneuser command [args] [options]

OPTIONS

	-r, --read-file 	  Read password from file
	--sha1			  The password will be hashed using the sha1 algorithm
	--ssh			  SSH Auth system
	--x509			  x509 Auth system for x509 certificates
	-k, --key path_to_private_key_pem Path to the Private Key of the User
	-c, --cert path_to_user_cert_pem Path to the Certificate of the User
	--driver driver 	  Driver to autehnticate this user
	--x509_proxy		  x509 Auth system based on x509 proxy certificates
	--proxy path_to_user_proxy_pem Path to the user proxy certificate
	--time x		  Token duration in seconds, defaults to 3600 (1 h)
	-l, --list x,y,z	  Selects columns to display with list command
	-d, --delay x		  Sets the delay in seconds for top command
	-x, --xml		  Show the resource in xml format
	-n, --numeric		  Do not translate user and group IDs
	-v, --verbose		  Verbose mode
	-h, --help		  Show this message
	-V, --version		  Show version and copyright information

COMMANDS

       o   create username [password]

	   Creates a new User
	   Examples:
	     oneuser create my_user my_password
	     oneuser create my_user -r /tmp/mypass
	     oneuser create my_user --ssh --key /tmp/id_rsa
	     oneuser create my_user --ssh -r /tmp/public_key
	     oneuser create my_user --x509 --cert /tmp/my_cert.pem
	   valid options: read_file, sha1, ssh, x509, key, cert, driver

       o   update userid

	   Launches the system editor to modify and update the template contents

       o   login username

	   Creates the Login token for authentication
	   Examples:
	     oneuser login my_user --ssh --key /tmp/id_rsa --time 72000
	     oneuser login my_user --x509 --cert /tmp/my_cert.pem				  --key /tmp/my_key.pk --time 72000
	     oneuser login my_user --x509_proxy --proxy /tmp/my_cert.pem				 --time 72000
	   valid options: ssh, x509, x509_proxy, key, cert, proxy, time

       o   key

	   Shows a public key from a private SSH key. Use it as password
	   for the SSH authentication mechanism.
	   valid options: key

       o   delete range|userid_list

	   Deletes the given User

       o   passwd userid [password]

	   Changes the given User's password
	   valid options: read_file, sha1, ssh, x509, key, cert, driver

       o   chgrp range|userid_list groupid

	   Changes the User's main group

       o   chauth userid [auth] [password]

	   Changes the User's auth driver and its password (optional)
	   Examples:
	     oneuser chauth my_user core
	     oneuser chauth my_user core new_password
	     oneuser chauth my_user core -r /tmp/mypass
	     oneuser chauth my_user --ssh --key /home/oneadmin/.ssh/id_rsa
	     oneuser chauth my_user --ssh -r /tmp/public_key
	     oneuser chauth my_user --x509 --cert /tmp/my_cert.pem
	   valid options: read_file, sha1, ssh, x509, key, cert, driver

       o   list

	   Lists Users in the pool
	   valid options: list, delay, xml, numeric

       o   show [userid]

	   Shows information for the given User
	   valid options: xml

ARGUMENT FORMATS

       o   file

	   Path to a file

       o   range

	   List of id's in the form 1,8..15

       o   text

	   String

       o   groupid

	   OpenNebula GROUP name or id

       o   userid

	   OpenNebula USER name or id

       o   userid_list

	   Comma-separated list of OpenNebula USER names or ids

       o   password

	   User password

LICENSE

       OpenNebula 3.4.1 Copyright 2002-2012, OpenNebula Project Leads (OpenNebula.org)

       Licensed  under	the  Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
       obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

								    April 2012								ONEUSER(1)
All times are GMT -4. The time now is 01:46 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy