Re: Huge mistake: lost shell :(

In article <20060222.0117.5593snz@xxxxxxxxxxxxxxxxxxxx>
snews@xxxxxxxxxxxxxxxxxxxx (David Lord) writes:
On Tuesday, in article <460gpmF8sjj3U1@xxxxxxxxxxxxxx>
me@xxxxxxxxxxx "Jean-Yves Avenard" wrote:

Hi

While configuring shell accounts, in my haste I changed the shell of the
wrong user.
Unfortunately it was the only user in the wheel group..

So now I can't log into this machine (I do not have physical access to
the machine)

I have access to a simple user account though.

I thought of doing something like:
su -f -m user_inwheel -c "chsh /bin/sh"

but that doesn't work, I always get "su: permission denied (shell)."

How could I change the shell of this user.
I know the root password, the user in wheel group password etc.

Any ideas?

If you have default /etc/login.access

login root

Hm, I almost thought that you had found a way to circumvent the wheel
requirement for "su", but 'login root' (as should be expected really)
seems to be subject to the normal restriction that you can only log in
as root on ttys specified as "secure" in /etc/ttys. I.e. the above
cannot be done from a network login on a system with default /etc/ttys -
and it was already stated that physical access was not available.

I found this thread interesting, but let's face it - the security model
of (Free)BSD says that you should not be able to become root without
physical access or wheel membership, even if you know the root password
- i.e. if a solution is found, it's either a bug or the result of
(intentionally or not) previously having overridden the security model
(e.g. by installing sudo with certain config, or marking a bunch of
pseudo-ttys as "secure").

Of course hunting for "unintentional overrides" can be fun:-) - e.g., I
don't suppose the shell for the wheel-member user can be replaced by an
unprivileged user, via direct overwrite or through some directory in the
path to it being writable?

--Per Hedeland
per@xxxxxxxxxxxx


.

Relevant Pages

  • Re: Huge mistake: lost shell :(
    ... While configuring shell accounts, in my haste I changed the shell of the ... I know the root password, the user in wheel group password etc. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: hi all..
    ... and someone gets access your shell account, ... Only root can install an su binary. ... Of course, if I have sudo ...
    (Fedora)
  • Re: Kmail offline
    ... GUI sessions as root? ... I will not help you with problems running GUI as root. ... That was a straight copy paste from the shell it ran from. ... checking I could get it to do said the install was all right. ...
    (Fedora)
  • Re: csh as default root Shell
    ... Another source is the the FreeBSD Handbook that is available ... As for changing the root shell, it is probably not a good idea. ... Put the new root account you created farther down in the passwd file ...
    (freebsd-questions)
  • Re: "No Shell"
    ... There is simply no need to login as root - ever, ... > you don't have to guard(and spread) root's password anymore. ... And change the shell or whatever it s/he just well damn ... Other than that nothing else should depend on root shell, ...
    (comp.unix.admin)