[rescue] mesg: cannot change mode
Loomis, Rip
rescue at sunhelp.org
Tue Nov 27 11:23:25 CST 2001
1. *PLEASE* trim at least some of the crap off messages to which
you are replying.
2. You probably don't want "mesg n" in /etc/profile, but you
probably *do* want it in a .profile for root. "mesg n"
stops other local users from sending you certain immediate
messages--and depending on the terminal you're using, some
of those messages can really fubar your terminal. We used
to do that kind of crap 12 years ago when I was in college,
and all my login scripts still have a "mesg n" as a
security measure. No idea how valid an attack it still is,
but there is probably some residual risk.
3. When logged in as root, you should almost *never* do a
"su - username"--because that will give you rootly powers
but a configuration decided upon by an untrusted user.
Since all the trusted users (admins) should be logging in
as themselves and then using sudo, the only time anyone
might su to a non-root account would be to check things
out or fix something in that account...and it's a bad idea
to assume that the non-root account is trustworthy.
So, bottom line:
"mesg n" good.
"sudo" good. (*VERY* good, dammit)
"su - [root]" okay (and better than "su [root]").
"su username" okay.
"su - username" bad.
Questions?
--
Rip Loomis
Senior Systems Security Engineer
SAIC Center for Information Security Technology
> It was in /etc/profile and I was doing su - uname (should
> have said that
> in the first place).
> There is another admin on my box and he put "mesg n" in the
> /etc/profile.
> Once I commented it out, the behavior stopped.
>
> > "su username" or "su - username"? If it's with the "-" then
> it might be
> > something in the /etc/profile, user's .profile or whatever
> login script
> > runs for that user.
> >
> > > Under solaris 2.6 when I su from root to a user I get the message
> > > "mesg: cannot change mode"
> > >
> > > Under solaris 2.8 this does not happen. Any ideas?
More information about the rescue
mailing list