Date: Mon, 30 Oct 1995 22:35:21 +0100 (MET) From: guido@gvr.win.tue.nl (Guido van Rooij) To: freebsd-security@freebsd.org Subject: rlogind patch revisited Message-ID: <199510302135.WAA00821@gvr.win.tue.nl>
index | next in thread | raw e-mail
There is this already old p[atch for rlogind: revision 1.2 date: 1994/08/15 19:44:50; author: guido; state: Exp; lines: +5 -0 Plug security hole that was already fixed in 1.1. It prevents user from specifying their hostname when rlogin()-ing in (using rlogin -f-h<host>) Reviewed by: Submitted by: ---------------------------- this is solved by doing a strstr on the username provided. this prevends usernames like "this-one" to give troubles. I think just checking the first character for a "-" will be enough. (even space or tabs won't have to be skipped as the username is fed directly as an argument in execl()) What's your opinion? -Guidohome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510302135.WAA00821>