On Mon, Apr 24, 2000 at 11:59:41AM +0200, Rupert Koenig wrote:
Hi folks!
There seems to be a security-problem in suse 6.3 - i've got running a server (6.3) which provides a YP-server. Now i created some new users at this server with login-shell /bin/false. These users are exportet via YP to my workstation (6.3). So far so good - if I try to login on my workstation with one of these users via telnet or at the console, the login fails - as it should be because of /bin/false.
But if I try to log in at KDM a login is possible!! In deed, this is not possible for all WM's, but e.g. with fvwm2 - it starts and I can start a x-term for this user!!
Other WM's like KWM don't start completle, probably because there is no home-dir for these users at my workstation. Is this a problem of KDM or perhaps of YP?
Would be great if anybody could tell me if he/she has the same problem
bye Rupert
Indeed this is a security problem if a user that has /bin/false as a login shell has physical access to your console ( or access to your machine via XDMCP ). This is on the other hand NOT a problem with neither YP nor the WM's themselves. You can implement a nologin policy for any login method using the PAM. Check out the /etc/pam.d files. F.ex. you could add: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/no_logins onerr=succeed to the xdm or gdm file ( apparently kdm does not have its own pam file, and I'm not sure if kdm really is pam aware ) and then create a /etc/no_logins file including all users that should not be able to log in via console. Many other solutions for this problem exist. It is well known, and mainly a matter of choice how this is handled :-) -tosi
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ______ /---------------------------------------\ \ | Þór Sigurðsson | Tor Sigurdsson | t | | Netmaður | Network Specialist | o | |-----------------------------------------| s | | tosi@hi.is | i | \---------------------------------------/_____/ \ RHCE / / \___________________________________/_____/