HPE Community
Operating System - Linux
1830071 Members
14247 Online
109998 Solutions
New Discussion

Re: news account in RH linux

 
SOLVED
Go to solution
K.C. Chan
Trusted Contributor

‎12-01-2003 08:05 AM

‎12-01-2003 08:05 AM

news account in RH linux

All I am not sure if this was intentional or not, But it appears that the news account could be a backdoor into your linux server, here's what I have on my server:
"news:x:9:13:news:/etc/news: ", noticed the last field is blank. You could login with passwords "news". Here's my fixed for it:
"news:x:9:13:news:/etc/news:/sbin/nologin". If anyone experiencing the same or similar issue with news account, please post so I know I am not going crazy. Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
7 REPLIES 7
Kodjo Agbenu
Honored Contributor

‎12-01-2003 08:34 AM

‎12-01-2003 08:34 AM

Re: news account in RH linux

Hi,

I'm using RH9 and there is no way to login using password "news".

Kodjo
Learn and explain...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎12-01-2003 08:49 AM

‎12-01-2003 08:49 AM

Re: news account in RH linux

not sure about rh9, but the servers I am seeing this is on RH7.2; Does any one know the affect of leaving shell blank in passwd file?
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎12-01-2003 09:39 AM

‎12-01-2003 09:39 AM

Solution

Re: news account in RH linux

Whilst the lack of 'shell' for a given user is a stupid mistake, it is by no means a security hole. By default, the shell will be '/bin/sh'.

The 'x' in the 2nd field says that it uses the shadow password system. If you look in the /etc/shadow file, you'll see an '*' in the 2nd field.

This states that there is no valid password for user 'news', i.e. no matter what you type, it won't work.

This is not a security 'hole', just a dumb mistake, with no real issues.

Incidentally, '/bin/false' would be a better idea, as it isn't a shell, and thus would also deny FTP login attempts (regardless of password).
One long-haired git at your service...
Reply
Mark Grant
Honored Contributor

‎12-01-2003 05:33 PM

‎12-01-2003 05:33 PM

Re: news account in RH linux

Just out of historical interest, this DID used to be a security hole.

There used to be a program that came with most unix's that allowed a user to change their default shell (it might still be around for all I know). This utility would change the last field in the passwd file to whatever shell the user specified. The "login" or "passwd" command (I can't remember which), rather inconveniently, had a feature that meant it would assume a maximum length for a passwd entry. All you had to do was to change your shell to something that would make your passwd entry one character too long and you would "push" the last character of your shell name onto the next line. If this was an "h" for example, the resulting extra line would be an "h" with nothing after it. This would be interpreted by "login" as "h::0:0:::". Login as "h" and instant root access was yours.

It doesn't work any more though :)
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Claudio Cilloni
Honored Contributor

‎12-01-2003 08:23 PM

‎12-01-2003 08:23 PM

Re: news account in RH linux

I'm using RH73, I have this line in /etc/passwd:

news:x:9:13:news:/var/spool/news:

but it isn't possible to telnet or ftp with this user.

ciao
Claudio
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎12-02-2003 03:43 AM

‎12-02-2003 03:43 AM

Re: news account in RH linux

Thanks all for your input; There are other admin within my group. If this is by default locked down, then some one within my group have turned it on w/o my knowledge. I will look into it further and try to find out if some one had made a back door for himselves w/o my knowledge.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎12-02-2003 10:56 AM

‎12-02-2003 10:56 AM

Re: news account in RH linux

On a RH system by default, any UID (other than 0) less than 500 has no valid password.

If it does, then yea, someone's been playing.
One long-haired git at your service...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.