Forum: The Gate BBS

Re: Disabled Shell Access?

From Kevin McMurtrie@mcmurtri@sonic.net to comp.sys.mac.system on Friday, July 25, 2003 01:50:30

From Newsgroup: comp.sys.mac.system

In article <vi0vprg03jg60@corp.supernews.com>,
Gene Tolli <geetee@charter.net> wrote:

I recently upgraded from OS9.2.2 to Jaguar, and so far I've been very >pleased with the new OS. I've been using the Sams TYS OSX book to help
with the transition.

Tonight I was working through Chapter 23: Security Considerations. The >authors recommend disabling shell access for non-admin accounts using
the following scheme:

1. Open a Terminal window.
2. Type cd /bin [return]
3. Type sudo chmod o-x *sh [return]
4. Close the Terminal window.

I was logged in as admin, and typed "logout" before quitting Terminal.

My problem: now I don't seem able to access the command line from *any* >account, even as admin. The Terminal window has the heading "Command >Completed", and contains the message:

[Process exited - exit code 101]

I can't type anything, all I get is an error chime.

Could anyone explain what I've done, and - if possible - how I might
undo it?

Thanks in advance.

You've made it so only user 'root' or a member of of the group 'wheel'
can execute a shell. No shell means no login. I don't know why you'd
want to do such a thing when the Sharing control panel lets you turn off remote logins.

Reboot while holding down Option-S. Type:

cd /bin
chmod o+x *sh
logout

That will undo what you did. Repairing permissions with Disk Utility
might do the trick too.
--- Synchronet 3.18b-Win32 NewsLink 1.113

From Dave Seaman@dseaman@no.such.host to comp.sys.mac.system on Friday, July 25, 2003 03:58:17

From Newsgroup: comp.sys.mac.system

On Thu, 24 Jul 2003 19:52:10 -0500, Gene Tolli wrote:

I recently upgraded from OS9.2.2 to Jaguar, and so far I've been very pleased with the new OS. I've been using the Sams TYS OSX book to help
with the transition.

Tonight I was working through Chapter 23: Security Considerations. The authors recommend disabling shell access for non-admin accounts using
the following scheme:

1. Open a Terminal window.
2. Type cd /bin [return]
3. Type sudo chmod o-x *sh [return]
4. Close the Terminal window.

I was logged in as admin, and typed "logout" before quitting Terminal.

My problem: now I don't seem able to access the command line from *any* account, even as admin. The Terminal window has the heading "Command Completed", and contains the message:

[Process exited - exit code 101]

I can't type anything, all I get is an error chime.

Could anyone explain what I've done, and - if possible - how I might
undo it?

Launch NetInfo Manager and authenticate as an administrator.

Select "Enable Root User" from the Security menu. Enter a root password
when asked.

Under "System Preferences" select "Accounts". While you're there, you
might uncheck the box marked "Log in automatically as ...", but I think
this step is not really necessary.

Still under "Accounts", click on the "Login Options" tab and click to
Display Login Window as: Name and Password.

Under the Apple Menu select "Log Out".

When the Login window appears, type "root" as the login name and enter
the password you chose.

In a Terminal window, type "chmod o+x /bin/*sh".

Log out. (Using the Apple menu, not the Terminal command line).

Log in on the Admin Account.

Launch NetInfo Manager, authenticate as an administrator, and select
"Disable Root User" from the Security menu. Ordinarily, you can rely on
"sudo" to carry out all your administrative tasks, but this is a rare exception. From an admin account, you need to get an executable shell in
order to use the "sudo" command in the first place, and you made all your shells non-executable except by "root" or a member of the "wheel" group
(and by default, the only member of the "wheel" group is root).

Finally, get rid of that book.

--
Dave Seaman
Judge Yohn's mistakes revealed in Mumia Abu-Jamal ruling. <http://www.commoncouragepress.com/index.cfm?action=book&bookid=228>
--- Synchronet 3.18b-Win32 NewsLink 1.113

From russotto@russotto@grace.speakeasy.net (Matthew Russotto) to comp.sys.mac.system on Friday, July 25, 2003 11:07:20

From Newsgroup: comp.sys.mac.system

In article <vi0vprg03jg60@corp.supernews.com>,
Gene Tolli <geetee@charter.net> wrote:

I recently upgraded from OS9.2.2 to Jaguar, and so far I've been very >pleased with the new OS. I've been using the Sams TYS OSX book to help
with the transition.

Tonight I was working through Chapter 23: Security Considerations. The >authors recommend disabling shell access for non-admin accounts using
the following scheme:

1. Open a Terminal window.
2. Type cd /bin [return]
3. Type sudo chmod o-x *sh [return]
4. Close the Terminal window.

I was logged in as admin, and typed "logout" before quitting Terminal.

My problem: now I don't seem able to access the command line from *any* >account, even as admin. The Terminal window has the heading "Command >Completed", and contains the message:

Well, that SHOULD have worked. It's a really dumb "security" measure,
but it still should have worked.

Go to the Finder and "Go To Folder" /bin. Find the 'tcsh' file and
change its owner to you. Start a Terminal; you should get a shell.
Now

type cd /bin
type sudo chmod o+x *sh
type sudo chown root tcsh

--
Matthew T. Russotto mrussotto@speakeasy.net "Extremism in defense of liberty is no vice, and moderation in pursuit
of justice is no virtue." But extreme restriction of liberty in pursuit of
a modicum of security is a very expensive vice.
--- Synchronet 3.18b-Win32 NewsLink 1.113

From grapeape@grapeape@aol.comjunk (GrapeApe) to comp.sys.mac.system on Saturday, July 26, 2003 02:21:27

From Newsgroup: comp.sys.mac.system

<< >My problem: now I don't seem able to access the command line from *any* >account, even as admin. The Terminal window has the heading "Command >Completed", and contains the message:

Well, that SHOULD have worked. It's a really dumb "security" measure,
but it still should have worked. >><BR><BR>

It did. Now the system is safe from someone who doesn't know what they are doing.
--- Synchronet 3.18b-Win32 NewsLink 1.113

Who's Online
Recent Visitors
- Fur Moma
  Wednesday, April 24, 2024 09:35:32
  from Shelby, Nc via Telnet
- Skys Limit
  Wednesday, April 24, 2024 09:02:15
  from Greenville, Sc via Telnet
- W4RPE
  Wednesday, April 24, 2024 08:11:21
  from Fort Pierce, Fl via Telnet
- Q Fill
  Wednesday, April 24, 2024 07:59:43
  from Conover, Nc via Telnet
- Jill Curtis
  Wednesday, April 24, 2024 07:49:53
  from Hickory, Nc via Telnet
- Ashley Cherry
  Wednesday, April 24, 2024 07:33:08
  from Shelby, Nc via Telnet
- Dr. What
  Wednesday, April 24, 2024 07:25:00
  from Rockford, Mi via Telnet
- Jada Chavez
  Wednesday, April 24, 2024 07:17:23
  from Bostic, Nc via Telnet
- Leslie03
  Wednesday, April 24, 2024 07:03:36
  from Lawndale, Nc via Telnet
- Pengo
  Wednesday, April 24, 2024 04:42:18
  from Moscow, Russia via Telnet

System Info

Sysop:	Gate Keeper
Location:	Shelby, NC
Users:	716
Nodes:	20 (0 / 20)
Uptime:	02:08:50
Calls:	9,138
Calls today:	12
Files:	5,288
D/L today:	88 files (35,471K bytes)
Messages:	465,528
Posted today:	2

Re: Disabled Shell Access?

Who's Online

Recent Visitors

System Info