From owner-freebsd-hackers Sun Feb 9 03:51:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA12765 for hackers-outgoing; Sun, 9 Feb 1997 03:51:07 -0800 (PST) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id DAA12759 for ; Sun, 9 Feb 1997 03:50:59 -0800 (PST) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id MAA18594 for hackers@freebsd.org; Sun, 9 Feb 1997 12:50:57 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.5/8.6.9) id MAA12726; Sun, 9 Feb 1997 12:28:02 +0100 (MET) Message-ID: Date: Sun, 9 Feb 1997 12:28:02 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: hackers@freebsd.org Subject: Re: should permissions of /usr/bin/login be changed to 0100 ??? References: <19970208135454.ZJ37734@klemm.gtn.com> X-Mailer: Mutt 0.55-PL10 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <19970208135454.ZJ37734@klemm.gtn.com>; from Andreas Klemm on Feb 8, 1997 13:54:54 +0100 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Andreas Klemm wrote: > While an almost universal "feature", most people remain unaware that > an intruder can log into a system, then log in again by running the "login" > command from a shell. Because the second login is from the local host, the > utmp entry will not show a remote login host anymore. But still, it will have to reuse the same tty, and it required a previous login. So sure, you are able to track him in wtmp (unless he's going to hack wtmp, but you're lost in this case anyway). I sometimes love to have this feature. E.g., i log in via modem, setup or fixup a PPP account, and then exec login to the PPP account. Doing this all from inside the `term' command of PPP allows me to try the PPP session directly. I'm not sure whether exec su -l pppaccount will also work here. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)