From owner-freebsd-security  Fri Sep 21  5:49:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254])
	by hub.freebsd.org (Postfix) with SMTP id 1E07537B414
	for <FreeBSD-Security@FreeBSD.ORG>; Fri, 21 Sep 2001 05:49:13 -0700 (PDT)
Received: (qmail 839 invoked by uid 1000); 21 Sep 2001 12:48:34 -0000
Date: Fri, 21 Sep 2001 15:48:34 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Marc Rogers <marcr@shady.org>
Cc: FreeBSD-Security@FreeBSD.ORG
Subject: Re: login_conf vulnerability.
Message-ID: <20010921154834.B619@ringworld.oblivion.bg>
Mail-Followup-To: Marc Rogers <marcr@shady.org>,
	FreeBSD-Security@FreeBSD.ORG
References: <20010921124410.D99287@shady.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010921124410.D99287@shady.org>; from marcr@shady.org on Fri, Sep 21, 2001 at 12:44:10PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Sep 21, 2001 at 12:44:10PM +0100, Marc Rogers wrote:
> afternoon all,
> 
>   For those of you who havent gotten around to patching login_cap.c
> to fix the openssh login class exploit recently released, I have a quick
> fix that should be good enough to stop pests reading files on your system,
> such as master.passwd.
> 
> 
> using vipw, add all users to a login class that has been defined in /etc/login.conf
> 
> 
> for most people simply adding the user to standard will suffice:
> 
> 
> bob:xxxxxxxxxxxxx:1062:1062::0:0:bob t builder:/home/bob:/usr/local/bin/bash
> 
> should be changed to
> 
> bob:xxxxxxxxxxxxx:1062:1062:standard:0:0:bob t builder:/home/bob:/usr/local/bin/bash
> 
> which corresponds to:
> 
> standard:\
>         :tc=default:
> 
> in /etc/login.conf
> 
> This has been tested and found to prevent the exploit in 4.0, 4.1, 4.3 and 4.4-RC

Correct me if I'm wrong, but IMHO this will only stop cluebies who do
not take the time to look and see just *why* the 'default' override
does not work.  What happens when they change their .login.conf file
and override the 'standard' login class instead?

G'luck,
Peter

-- 
I am the thought you are now thinking.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message