Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Jul 1996 12:30:27 -0700
From:      "David E. O'Brien" <obrien@Nuxi.cs.ucdavis.edu>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        obrien@relay.nuxi.com
Subject:   bin/1410: /usr/bin/login is suid, with little requirement for this
Message-ID:  <199607201930.MAA03609@relay.nuxi.com>
Resent-Message-ID: <199607201940.MAA10125@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         1410
>Category:       bin
>Synopsis:       /usr/bin/login is suid, with little requirement for this
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 20 12:40:01 PDT 1996
>Last-Modified:
>Originator:     David E. O'Brien
>Organization:
University of California, Davis
>Release:        FreeBSD 2.1.0-RELEASE i386
>Environment:

	n/a

>Description:

	/usr/bin/login is suid root
	(-r-sr-xr-x   1 root     root       20480 Nov 15  1995 login*
	-- from the FreeBSD 2.1-RELEASE Live FS)

	This was done orginially so that a different user could login to
	a terminal with a user already logged in.  (ie. exec login luser)

	There is little need for this today.  From a discussion on
	freebsd-security, many didn't know of this functionality, and
	no one claimed to depend on it.  If active Unix hobbiest didn't
	know of this functionality, IMHO few users will.

	From the standpoint of security, every suid root program is a
	danger to system security.  Therefore, there should be a good
	justification for each of them (tradition is not a good
	justification).  In light of FreeBSD's positioning as a prime
	choice for ISP implimentation, this is especially true.

>How-To-Repeat:

	ls -l  /usr/bin/login

>Fix:

	I propose that future releases of FreeBSD do not install
	/usr/bin/login suid root.
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607201930.MAA03609>