LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   users and their etc/.profile (https://www.linuxquestions.org/questions/linux-security-4/users-and-their-etc-profile-559961/)

troygi 06-07-2007 12:45 PM
users and their etc/.profile
 
If a user on the unix system does not have an etc/.profile set up. What type of vulnerability is associated with this configuration.

Are they essentially logging directly to the root directory?
Can their user id be exploited by a hacker?


I am in the midst of an audit and the auditors found that I had 2 users on the system who did not have .profiles. Typically, I include a default login which takes them to a specific application menu and from their they can access various modules on the system. But without a .profile, I am unsure of the specific dangers associated with this oversight.

Any insight on the vulnerability of this occurring would be helpful.

MensaWater 06-07-2007 02:34 PM
You're question is a little confused.

There is a global file called /etc/profile that all users would execute on login (with certain shells).

Individual users usually have $HOME/.profile which is executed AFTER /etc/profile for their own customizations.

On Linux the defaults are actually /etc/bashrc and $HOME/.bashrc for the bash shell. /etc/profile and .profile are typically used on UNIX systems for Bourne Shell and Korn shell. You can run ksh on Linux but just wanted you to be aware of the distinction.

Since the .profile in a user's $HOME is defined to be modifiable by the user its existence or non-existence is NOT a security problem. Possibly the auditors fear someone other than the user could add a .profile to the user's $HOME and compromise their login. The way to prevent this is to make sure the user's $HOME is only writable by the user rather than worrying about the presence or absence (or contents of) a $HOME/.profile.

The file to be really concerned about is /etc/profile (and/or /etc/bashrc) since that is what does initial setup for all users. It is also the one where you can control things that you don't want the users to circumvent in their $HOME.

For example I once worked on a system for a large hotel corporation where the users "logged in" but were immediately "exec"d into the application. In /etc/profile we disabled all traps so that they could not hit Ctrl-C or other keys during the login to get out to a shell. If we'd done that in $HOME/.profile instead the user if fast enough or by hitting Ctrl-C over and over quickly might actually have gotten to a shell between the execution of /etc/profile and $HOME/.profile.

P.S. Auditors always HAVE to find "something" or they feel people won't think they did their jobs. Usually you can do "management response" such as the above to show you've noted their concern and don't think it is reasonable.


All times are GMT -5. The time now is 05:36 PM.