From owner-freebsd-security  Sat May  5 18:35: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id B0BE837B43E
	for <freebsd-security@FreeBSD.ORG>; Sat,  5 May 2001 18:34:59 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA16189;
	Sat, 5 May 2001 18:34:58 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda16187; Sat May  5 18:34:47 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f461YgB51796;
	Sat, 5 May 2001 18:34:42 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdb51794; Sat May  5 18:34:38 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.3/8.9.1) id f461YbJ03934;
	Sat, 5 May 2001 18:34:37 -0700 (PDT)
Message-Id: <200105060134.f461YbJ03934@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdee3928; Sat May  5 18:34:18 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: "Dominic Marks" <dominic_marks@hotmail.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Login Permissions 
In-reply-to: Your message of "Sat, 05 May 2001 13:57:29 -0000."
             <F53ngr5tTXeCOtrsbMe00002e67@hotmail.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 05 May 2001 18:34:18 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <F53ngr5tTXeCOtrsbMe00002e67@hotmail.com>, "Dominic Marks" 
writes:
> Login can be executed by any user connected with a local or remote shell. 
> Login could therefore be used as a forkbomb/dos attack which could be used 
> to eat resources (and possbibly ttys?).
> 
> Should login be set as chmod 700?

A better solution would be to only allow login to be executed using the 
exec builtin from the lowest level shell as Solaris does:

    No utmpx entry. You must exec "login" from the lowest level "shell".


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message