rob@sparky.HAC.COM (Rob Henderson) (10/07/88)
Greetings,
I give up!! This problem has gotten the best of me so I am turning
to the net for help. FYI, I'm running SunOS 3.4 on a Sun 3/260.
I have set up the following two accounts:
dummy::0:1:dummy:/:/usr/local/bin/dummy_account
fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account
The login scripts (dummy_account and fixdrip_account) run another
script (/sparky/rob/tmp/script.sh), which works for the dummy
account but bombs with "restricted" messages for the fixdrip account.
The problem should be clear after you read the following:
===========================================
Script started on Thu Oct 6 17:52:32 1988
% egrep "dummy|fixdrip" /etc/passwd
dummy::0:1:dummy:/:/usr/local/bin/dummy_account
fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account
% cd /usr/local/bin
% cat dummy_account
#! /bin/sh -f
/sparky/rob/tmp/script.sh
% cat fixdrip_account
#! /bin/sh -f
/sparky/rob/tmp/script.sh
% diff dummy_account fixdrip_account
% ls -lg dummy_account fixdrip_account
-rwxr--r-- 1 root wheel 40 Oct 6 17:51 dummy_account
-rwxr--r-- 1 root wheel 40 Oct 6 17:51 fixdrip_account
% cat /sparky/rob/tmp/script.sh
#! /bin/sh -f
echo The sh script worked
% su dummy
The sh script worked
% su fixdrip
/usr/local/bin/fixdrip_account: /sparky/rob/tmp/script.sh: restricted
% exit
script done on Thu Oct 6 17:54:02 1988
===========================================
My questions are:
1. What does the "restricted" message mean?
2. Why does the dummy account work while the fixdrip does not?
3. On a side note, I would appreciate if someone would fill me in on the
security holes I am opening by having these accounts with the same
uid as root. My motivation for doing this is to give users limited
access to root privileges.
Thanks for the help,
--Rob Henderson
---
1st Choice: rob@tcville.hac.com
2nd Choice: rgh@hac2arpa.hac.com
3rd Choice: (213) 616-4596
If all else fails: {seismo|allegra|...}!hacgate!tcville!robjamesa%betelgeuse@Sun.COM (James D. Allen) (10/08/88)
In article <184@tcville.HAC.COM>, rob@sparky.HAC.COM (Rob Henderson) writes: > /usr/local/bin/fixdrip_account: /sparky/rob/tmp/script.sh: restricted [ refer to original article for detailed description of problem] The problem is that /bin/sh has chosen to become "restricted". It did this, believe it or not, because of the 'r' in "fixdrip_account". This is in TFM, although the injunction RTFM would seem rude given the peculiar character of this feature. If you regard this feature as a bug, you will be glad to know it is "fixed in 4.0". You don't want to know what feature the 'x' activates... :-}