andrew@hammer.TEK.COM (Andrew Klossner) (10/31/86)
On invalidating entries in /etc/passwd: One correspondent spoke of changing the password to something to which nothing will encrypt. Another prefers to change the shell to something which prints a short message of denial then exits. We do *both*. Changing the password but leaving the shell intact allows entry to anyone who is already in or can enter the user's .rhosts file. Changing the shell but leaving the password lets anyone with the password "su" to the account, if your "su" uses the invoker's shell. (If your "su" uses the target user's shell, you open a different but similarly nasty security hole.) -=- Andrew Klossner (decvax!tektronix!tekecs!andrew) [UUCP] (tekecs!andrew.tektronix@csnet-relay) [ARPA]