From owner-freebsd-security  Fri Sep 21  6: 3:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254])
	by hub.freebsd.org (Postfix) with SMTP id 1F59437B416
	for <FreeBSD-Security@FreeBSD.ORG>; Fri, 21 Sep 2001 06:03:24 -0700 (PDT)
Received: (qmail 984 invoked by uid 1000); 21 Sep 2001 13:02:43 -0000
Date: Fri, 21 Sep 2001 16:02:43 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Rob Andrews <rob@cyberpunkz.org>
Cc: Marc Rogers <marcr@shady.org>, FreeBSD-Security@FreeBSD.ORG
Subject: Re: login_conf vulnerability.
Message-ID: <20010921160243.C619@ringworld.oblivion.bg>
Mail-Followup-To: Rob Andrews <rob@cyberpunkz.org>,
	Marc Rogers <marcr@shady.org>, FreeBSD-Security@FreeBSD.ORG
References: <20010921124410.D99287@shady.org> <20010921154834.B619@ringworld.oblivion.bg> <20010921075540.B71120@switchblade.cyberpunkz.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010921075540.B71120@switchblade.cyberpunkz.org>; from rob@cyberpunkz.org on Fri, Sep 21, 2001 at 07:55:40AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Sep 21, 2001 at 07:55:40AM -0500, Rob Andrews wrote:
> On Fri, Sep 21, 2001 at 03:48:34PM +0300, Peter Pentchev wrote:
> > Correct me if I'm wrong, but IMHO this will only stop cluebies who do
> > not take the time to look and see just *why* the 'default' override
> > does not work.  What happens when they change their .login.conf file
> > and override the 'standard' login class instead?
> 
> Users cannot change their login class on the system with .login.conf,
> they can only affect certain things such as path statements and such.
> 
> Try it yourself and see..  :)

Yes, but they can override them for whichever class they choose to
specify in their own .login.conf.  Venglin's BugTraq post gave as an
example a user .login.conf file consisting of:

default:\
 :copyright=/etc/master.passwd:

This overrides the 'default' login class; if the sysadmin changes
the user's login class to 'standard', then what is there to stop
the user from doing the following?

standard:\
 :copyright=/etc/master.passwd:

G'luck,
Peter

-- 
because I didn't think of a good beginning of it.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message