LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-07-2007, 12:45 PM   #1
troygi
LQ Newbie
 
Registered: Jun 2007
Posts: 1

Rep: Reputation: 0
users and their etc/.profile


If a user on the unix system does not have an etc/.profile set up. What type of vulnerability is associated with this configuration.

Are they essentially logging directly to the root directory?
Can their user id be exploited by a hacker?


I am in the midst of an audit and the auditors found that I had 2 users on the system who did not have .profiles. Typically, I include a default login which takes them to a specific application menu and from their they can access various modules on the system. But without a .profile, I am unsure of the specific dangers associated with this oversight.

Any insight on the vulnerability of this occurring would be helpful.
 
Old 06-07-2007, 02:34 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
You're question is a little confused.

There is a global file called /etc/profile that all users would execute on login (with certain shells).

Individual users usually have $HOME/.profile which is executed AFTER /etc/profile for their own customizations.

On Linux the defaults are actually /etc/bashrc and $HOME/.bashrc for the bash shell. /etc/profile and .profile are typically used on UNIX systems for Bourne Shell and Korn shell. You can run ksh on Linux but just wanted you to be aware of the distinction.

Since the .profile in a user's $HOME is defined to be modifiable by the user its existence or non-existence is NOT a security problem. Possibly the auditors fear someone other than the user could add a .profile to the user's $HOME and compromise their login. The way to prevent this is to make sure the user's $HOME is only writable by the user rather than worrying about the presence or absence (or contents of) a $HOME/.profile.

The file to be really concerned about is /etc/profile (and/or /etc/bashrc) since that is what does initial setup for all users. It is also the one where you can control things that you don't want the users to circumvent in their $HOME.

For example I once worked on a system for a large hotel corporation where the users "logged in" but were immediately "exec"d into the application. In /etc/profile we disabled all traps so that they could not hit Ctrl-C or other keys during the login to get out to a shell. If we'd done that in $HOME/.profile instead the user if fast enough or by hitting Ctrl-C over and over quickly might actually have gotten to a shell between the execution of /etc/profile and $HOME/.profile.

P.S. Auditors always HAVE to find "something" or they feel people won't think they did their jobs. Usually you can do "management response" such as the above to show you've noted their concern and don't think it is reasonable.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure profile for all users stevsmit Linux - General 3 02-01-2007 11:06 PM
Find Users for advise based on Profile carl0ski LQ Suggestions & Feedback 22 01-26-2007 09:46 AM
one profile for all users guy_ripper Linux - Networking 2 12-16-2006 09:49 AM
Issue With /etc/profile And dircolors For All Users Chryzmo Slackware 5 12-01-2005 09:10 PM
exporting user profile to other users bikov_k Linux - General 2 10-23-2004 03:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration