From owner-freebsd-security Fri Sep 21 6:14:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id B110537B426 for ; Fri, 21 Sep 2001 06:14:12 -0700 (PDT) Received: (qmail 12638 invoked by uid 1000); 21 Sep 2001 13:19:37 -0000 Date: Fri, 21 Sep 2001 14:19:37 +0100 From: Marc Rogers To: Peter Pentchev Cc: Rob Andrews , FreeBSD-Security@FreeBSD.ORG Subject: Re: login_conf vulnerability. Message-ID: <20010921141937.N99287@shady.org> References: <20010921124410.D99287@shady.org> <20010921154834.B619@ringworld.oblivion.bg> <20010921075540.B71120@switchblade.cyberpunkz.org> <20010921160243.C619@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20010921160243.C619@ringworld.oblivion.bg>; from roam@ringlet.net on Fri, Sep 21, 2001 at 04:02:43PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Very true. However it is equally trivial to chmod /etc/login.conf so that it is unreadable by ordinary users. an alternative is to place blank, root owned .login_conf files in the homedir of each user. My fix is not supposed to be anything but a quick and dirty fix for those of us who choose to cvsup to the latest stable source. Not a substitute for the correct long term fix. [especially as this issue is fixed in 4.4-RELEASE] Thanks for pointing this out to me however, as it really should have occured to me. Kind regards, Marc Rogers On Fri, Sep 21, 2001 at 04:02:43PM +0300, Peter Pentchev wrote: > On Fri, Sep 21, 2001 at 07:55:40AM -0500, Rob Andrews wrote: > > On Fri, Sep 21, 2001 at 03:48:34PM +0300, Peter Pentchev wrote: > > > Correct me if I'm wrong, but IMHO this will only stop cluebies who do > > > not take the time to look and see just *why* the 'default' override > > > does not work. What happens when they change their .login.conf file > > > and override the 'standard' login class instead? > > > > Users cannot change their login class on the system with .login.conf, > > they can only affect certain things such as path statements and such. > > > > Try it yourself and see.. :) > > Yes, but they can override them for whichever class they choose to > specify in their own .login.conf. Venglin's BugTraq post gave as an > example a user .login.conf file consisting of: > > default:\ > :copyright=/etc/master.passwd: > > This overrides the 'default' login class; if the sysadmin changes > the user's login class to 'standard', then what is there to stop > the user from doing the following? > > standard:\ > :copyright=/etc/master.passwd: > > G'luck, > Peter > > -- > because I didn't think of a good beginning of it. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message