Static bins

Robert Connolly cendres at videotron.ca
Wed Jan 7 10:08:09 PST 2004


On January 7, 2004 12:57 pm, ken_i_m at elegantinnovations.net wrote:
> On Wed, Jan 07, 2004 at 12:18:42PM -0500, Robert Connolly 
(cendres at videotron.ca) wrote:
> > If a system is running ftpd and sshd, where a user has ftpd access but
> > not sshd shell, and has a shell of /bin/false, I think the only thing
> > preventing the user from forcing a shell is a single setting in the
> > sshd_config disallowing enviroment vars. If thats still true, then it
> > would certainly help if /bin/false were staticly linked; and why stop
> > there when suid bins share the same theroretical problem.
>
> [Making no investigation into the actual case as described above.]
>
> Why is "...a single setting in the sshd_config" a concern?  Two or more
> settings would be worse as they would increase the possiblity of getting
> things mis-configured.

That one setting seems to be the only thing keeping sanity. If there was a bug 
in that setting, a staticly linked /bin/false would prevent further 
compromise.




More information about the hlfs-dev mailing list