[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] .rhost everybody access



First thing first: I can't answer your original question on how to
configure rlogin to let anybody in.  I dumped rlogin completely years
ago.  Sorry.

But nevertheless, allow me some remarks:

On Thu, 8 May 2003, Joao Reis wrote:

> The purpose of given permission to everybody is because there is an
> account which is used by everybody in my company.
>
> This is a project account and my company only has 5 users.

Then i still don't see why you don't simply set up some unix group for
the project and create the project directories with write permission
for the group.  That's exactly what unix groups are invented for.

If its for the common environment thing, well, just add a shell script
that clears the current environment (if necessary) and sets up the
common environment for the project.  Tell your co-workers to source
this script into their shell when starting to work on the project.
Thats at least as comfortable as doing a rlogin.


If you still want the common account, then i'd recommend to follow the
proposal of Markus to distribute the private key to ssh to that
account among the project members.


> I dont see any security flaws in this case. If this account is
> screwed up them everybody will lose because their work are in this
> account.

Well maybe, if your box does not have any connection to the Internet,
the risks may be limited.

If your box is connected to the net, then i do see security flaws.
Just name some of them:

* The computer may be abused to send spam.

* The computer may be abused to participate in DDOS attacks.  This can
  become quite costly if you are sued for the damage.

* Any locally exploitable security bug that permits a root compromise
  turns automatically in a remotely exploitable root compromise, which
  rises the impact of any bug quite much.

-- 
                   Rolf Krahl <rolf.krahl@xxxxxxx>

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here