COMMAND

    rsh (restricted shell)

SYSTEMS AFFECTED

    Systems (most of them) running restricted shells

PROBLEM

    The following is based on Corinne Posse Security Notice Issue 3.

    Why are .login  and .profile based  restricted shells a  bad idea?
    Restricted shells are used all over the place-- for public  access
    news, library, gopher, and wais  accounts as well as samplings  of
    shell accounts  on ISP's.   Some restricted  shells are  based  on
    .profile and .login  files in a  normal account's home  directory.
    Properly implemented shells are either a seperate C program, or  a
    well-written shell or DCL script (if you like VMS).

    For  what  could  be  called  obvious reasons, .login and .profile
    based restricted shells  are not safe.  Corinne Posse has  noticed
    admins  (that's  plural,  folks)  using  the  .login  and .profile
    methods to restrict user access.

    Since the majority  of the 'net  these days is  WWW and POP-based,
    some admins will even forget that they are actually running  shell
    systems under the fancy GUI interfaces. This lack of attention  to
    detail makes  life easy  for someone  wanting unauthorized access.
    To borrow  a quote  from Scott  McNeely (CEO  of Sun Microsystems)
    "There are  too many  amatures running  systems out  there today."
    (Comdex June '96).

    In the case of the restricted shell VIA .login and .profile,  that
    account has a  normal shell allocated  to it in  /etc/passwd. Some
    user can FTP into  the site and remove  or replace the .login  and
    .profile files with one of  their own. Then, they can  re-login to
    the account and enjoy unauthorized access.

    What really bites some admins in  the ass on this is that  even if
    the  .login  and  .profile  file  is  owned  by  root,  it is in a
    directory  that  is  NOT  owned  by  root--  it  is  in the user's
    directory.  It  is normal Unix  behavior, then, for  a user to  be
    able to  delete a  root owned  file from  his/her own  directory--
    even if chmod'd to mode 600 or 400.

    Many BBS-based ISPs use methods like this so their users can  IRC,
    read news or gopher.

SOLUTION

    If you know what  are you doing, there  is no problem.   Don't use
    anything without knowing it's implications.