Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Message-ID: <17B78BDF120BD411B70100500422FC6309E4BE@IIS000> From: Bernard Dautrevaux To: "'Andrew DeFaria'" , cygwin AT cygwin DOT com Subject: RE: login: no shell: /bin/bash: Permission denied Date: Thu, 7 Mar 2002 09:38:37 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" > -----Original Message----- > From: Andrew DeFaria [mailto:Andrew AT DeFaria DOT com] > Sent: Wednesday, March 06, 2002 10:56 PM > To: cygwin AT cygwin DOT com > Subject: Re: login: no shell: /bin/bash: Permission denied > > Regardless, to me it's still would be a large security hole > if all one > needs to do is: > > $ echo "+" > ~/.rhosts > > to be able to abuse rsh to do something under somebody else's > user ID is > it not? > Note however that the "echo" above has to be done by "anotheruser"; you can't do it. Rsh is insecure, but it at least verify that ONLY anotheruser is able to write to its own "~/.rhosts" :-) And if you'r e fool enough to do this, you may as well do that: $ echo "my password" > ~/THIS_IS_MY_PASSWORD $ chmod a+r ~/THIS_IS_MY_PASSWORD :) :) :) :) Bernard -------------------------------------------- Bernard Dautrevaux Microprocess Ingenierie 97 bis, rue de Colombes 92400 COURBEVOIE FRANCE Tel: +33 (0) 1 47 68 80 80 Fax: +33 (0) 1 47 88 97 85 e-mail: dautrevaux AT microprocess DOT com b DOT dautrevaux AT usa DOT net -------------------------------------------- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/