Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Seth Arnold (sarnoldwirex.com)
Date: Fri Mar 08 2002 - 12:06:40 CST
On Thu, Mar 07, 2002 at 10:31:37AM -0000, Brian Clifton wrote:
> Even if a user could do this, wouldn't disabling anonymous FTP be a
> simple answer or am I missing something?
The problem isn't accepting ftp connections -- it is allowing users to
use the ftp client on the machine with the 'restricted shell' -- because
the ftp client allows users to execute programs locally pretty easy. Of
course, you have the source to your ftp clients, so feel free to modify
your client of choice to prevent that. :)
Of course, many unix programs have this ability, because it is useful.
Practically every editor, every MUA, every terminal-based web browser,
and other useful programs, all have easy access to the shell. Many
programs have 'restricted' modes that are supposed to prevent access to
the shell, but mistakes happen.
Ever wonder what happens if a user sets EDITOR=/bin/sh before editing
outgoing email? I never thought about it until today. I wonder what
happens. And perhaps someone trying to create a restricted shell
probably ought to wonder about it too. :)
-- UniNet InfoSec Conference April 15-19 http://infosec.uninet.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE8iP2w1XMg6PgdEDQRAuZHAKDCA6MY21i9WjCkd14Hslj2TwIp9gCg2puA biXUzyrWvzoMqgm4bGczk+0= =Nc2T -----END PGP SIGNATURE-----