topic Re: Problems using /bin/false as a shell user in Operating System - HP-UX

Problems using /bin/false as a shell user

Jansen Sena_1 — Fri, 18 Jul 2003 14:00:32 GMT

Dear friends,

I'm having problems when I use /bin/false as a shell user in /etc/passwd. When I run "su - user" the comand shows a coredump:

# su - user
su: No shell
Memory fault(coredump)

I think this is a security problem. Is this correct? Can anyone help me? Is there any patch for this problem?

I am using HP-UX 11.00.

Thanks,

Jansen.

Re: Problems using /bin/false as a shell user

Enrico P. — Fri, 18 Jul 2003 14:09:04 GMT

Hi,
check this:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x92f1e822e739d711abdc0090277a778c,00.html

Enrico.

Re: Problems using /bin/false as a shell user

Anthony deRito — Fri, 18 Jul 2003 14:09:21 GMT

This may help....

Problem Description

When doing a su within the NIS environment, I get a memory
fault core dump on HP-UX 11.0. I have the latest NIS patch.
What is causing this problem?

Configuration Info

Operating System - HPUX
Version - 11.0
Hardware System - HP 9000
Series - T500

Solution

su(1) can dump core when used on a system with NIS, because NIS uses
heap memory that su(1) expects to be initialized to all "\0".
Apply the new su patch PHCO_15232 in order to solve this problem.

Patches can be superseded by subsequent versions; be sure to load
the current version.

Re: Problems using /bin/false as a shell user

Steve Steel — Fri, 18 Jul 2003 14:14:19 GMT

Hi

The /bin/false is not a shell but just a script for auto exit. It is given to ftp users to fix a possible security problem.

You cannot use it for a normal user.
su needs a realshell or it aborts.

cat /bin/false

# @(#) $Revision: 64.1 $
exit 1

# what /bin/false
/bin/false:
$Revision: 64.1 $

file /bin/false
/bin/false: commands text

Steve Steel

Re: Problems using /bin/false as a shell user

A. Clay Stephenson — Fri, 18 Jul 2003 14:23:01 GMT

This is a rather useless exercise. Even if you include /bin/false in /etc/shells, the su command is going to then spawn /bin/false after setting the user id and group id to the new user. Of course, /bin/false will immediately exit and you are back in the parent shell as the original user.

User's with /bin/false or similar shells can really only change the UID with the setuid() system call with C. If you want to do this in a scripting language,use Perl. You can use the POSIX::setuid Perl function or simply reassign $<.

Re: Problems using /bin/false as a shell user

Jansen Sena_1 — Fri, 18 Jul 2003 15:07:10 GMT

Guys,

I'm using /bin/false as a user shell because I need configure ftp only users. But, I think that coredump is a local security problem. On Linux, for example, when I configure a user's shell to /bin/false and I run su, the user logon process fail but I don't have coredump.

Re: Problems using /bin/false as a shell user

Shannon Petry — Fri, 18 Jul 2003 15:58:54 GMT

Well, you are expected to use /bin/false as a shell for FTP only ID's.

Because you get a core dump with su - ID and they have no shell is not a security issue, it's a login/pam patch issue where login is not aborting correctly when you have no valid shell and force login.

Make sure your patched correctly, but more importantly... Dont test your ID's with su! The only way to test the ID is to attemp different login in methods (telnet, rsh, ftp). Using su ftponlyid will not show you anything about the ID.

Regards,
Shannon