i thought about this one this weekend, if /bin/false is in /etc/shells
and you have ftp enabled, then a user could ftp in a .qmail file that
contains a expect script that runs chsh, and boom, they have a shell. how
to avoid this, options:
a) take /bin/fales and /bin/true out of /etc/shells
b) disable ftp
c) disable chsh and chfn
d) disable perl, expect, tcl, etc..
e) use vpops
lates,
-xs
end
+-------------------------------------+
|Greg Albrecht KF4MKT [EMAIL PROTECTED]|
|Safari Internet Fort Lauderdale, FL|
|www.safari.net 888-537-9550|
+------L-O-W-E-R--D-O-T--O-R-G--------+
On Wed, 14 Apr 1999, Joe Junkin wrote:
>Hello all,
>When a pop user logs in to check mail, they send their user password in clear
>text over the network. So, a pop user account could be comprimised, and is
>therefore unsecure. On a mail server I administer, I set all of the qmail user
>accounts shell to be /bin/false which disallows a direct login by the user. This
>is fine with me since none of my email accounts will every log in.
>
>This seems secure, but is it enough? Is there more that one can do to secure pop
>accounts?
>
>--
>Joseph R. Junkin Datafree Corporation
>[EMAIL PROTECTED] http://www.datacrawler.com
>
