Date: Fri, 21 Sep 2001 15:48:34 +0300 From: Peter Pentchev <roam@ringlet.net> To: Marc Rogers <marcr@shady.org> Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: login_conf vulnerability. Message-ID: <20010921154834.B619@ringworld.oblivion.bg> In-Reply-To: <20010921124410.D99287@shady.org>; from marcr@shady.org on Fri, Sep 21, 2001 at 12:44:10PM %2B0100 References: <20010921124410.D99287@shady.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 21, 2001 at 12:44:10PM +0100, Marc Rogers wrote: > afternoon all, > > For those of you who havent gotten around to patching login_cap.c > to fix the openssh login class exploit recently released, I have a quick > fix that should be good enough to stop pests reading files on your system, > such as master.passwd. > > > using vipw, add all users to a login class that has been defined in /etc/login.conf > > > for most people simply adding the user to standard will suffice: > > > bob:xxxxxxxxxxxxx:1062:1062::0:0:bob t builder:/home/bob:/usr/local/bin/bash > > should be changed to > > bob:xxxxxxxxxxxxx:1062:1062:standard:0:0:bob t builder:/home/bob:/usr/local/bin/bash > > which corresponds to: > > standard:\ > :tc=default: > > in /etc/login.conf > > This has been tested and found to prevent the exploit in 4.0, 4.1, 4.3 and 4.4-RC Correct me if I'm wrong, but IMHO this will only stop cluebies who do not take the time to look and see just *why* the 'default' override does not work. What happens when they change their .login.conf file and override the 'standard' login class instead? G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921154834.B619>