Date: Sun, 9 Feb 1997 16:59:07 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Andreas Klemm <andreas@klemm.gtn.com> Cc: hackers@freebsd.org Subject: Re: should permissions of /usr/bin/login be changed to 0100 ??? Message-ID: <Pine.BSF.3.91.970209165445.427E-100000@panda.hilink.com.au> In-Reply-To: <19970208135454.ZJ37734@klemm.gtn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Feb 1997, Andreas Klemm wrote:
> >From the OPIE README file:
> [...]
> While an almost universal "feature", most people remain unaware that
> an intruder can log into a system, then log in again by running the "login"
> command from a shell. Because the second login is from the local host, the
> utmp entry will not show a remote login host anymore. The OPIE replacement
> for /bin/login currently carries on this behavior for compatibility reasons.
> If you would like to prevent this from happening, you should change the
> permissions of /bin/login to 0100, thus preventing unprivileged users from
> executing it. This fix should work on non-OPIE /bin/login programs as well.
> [...]
>
> Our /usr/bin/login program has the following permissions:
> -r-sr-xr-x 1 root bin 24576 6 Feb 01:28 /usr/bin/login
>
> Would it be useful to change permissions to 0100 ?
Perhaps better would be to include the following code:
if ( !geteuid() ) {
fprintf(stderr, "You must be root to use 'login' on this system.\n");
exit(-1);
}
Install /bin/login as mode 555 by default, and if a sysadmin wants to,
s/he can make it 4555 and get the original behaviour.
Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970209165445.427E-100000>