Date: Fri, 21 Sep 2001 12:44:10 +0100 From: Marc Rogers <marcr@shady.org> To: FreeBSD-Security@FreeBSD.ORG Subject: login_conf vulnerability. Message-ID: <20010921124410.D99287@shady.org>
next in thread | raw e-mail | index | archive | help
afternoon all,
For those of you who havent gotten around to patching login_cap.c
to fix the openssh login class exploit recently released, I have a quick
fix that should be good enough to stop pests reading files on your system,
such as master.passwd.
using vipw, add all users to a login class that has been defined in /etc/login.conf
for most people simply adding the user to standard will suffice:
bob:xxxxxxxxxxxxx:1062:1062::0:0:bob t builder:/home/bob:/usr/local/bin/bash
should be changed to
bob:xxxxxxxxxxxxx:1062:1062:standard:0:0:bob t builder:/home/bob:/usr/local/bin/bash
which corresponds to:
standard:\
:tc=default:
in /etc/login.conf
This has been tested and found to prevent the exploit in 4.0, 4.1, 4.3 and 4.4-RC
Yours,
Marc Rogers
Technical Director
European Data Corporation
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921124410.D99287>