Date: Fri, 21 Sep 2001 14:19:37 +0100 From: Marc Rogers <marcr@shady.org> To: Peter Pentchev <roam@ringlet.net> Cc: Rob Andrews <rob@cyberpunkz.org>, FreeBSD-Security@FreeBSD.ORG Subject: Re: login_conf vulnerability. Message-ID: <20010921141937.N99287@shady.org> In-Reply-To: <20010921160243.C619@ringworld.oblivion.bg>; from roam@ringlet.net on Fri, Sep 21, 2001 at 04:02:43PM %2B0300 References: <20010921124410.D99287@shady.org> <20010921154834.B619@ringworld.oblivion.bg> <20010921075540.B71120@switchblade.cyberpunkz.org> <20010921160243.C619@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Very true. However it is equally trivial to chmod /etc/login.conf so that it is unreadable by ordinary users. an alternative is to place blank, root owned .login_conf files in the homedir of each user. My fix is not supposed to be anything but a quick and dirty fix for those of us who choose to cvsup to the latest stable source. Not a substitute for the correct long term fix. [especially as this issue is fixed in 4.4-RELEASE] Thanks for pointing this out to me however, as it really should have occured to me. Kind regards, Marc Rogers On Fri, Sep 21, 2001 at 04:02:43PM +0300, Peter Pentchev wrote: > On Fri, Sep 21, 2001 at 07:55:40AM -0500, Rob Andrews wrote: > > On Fri, Sep 21, 2001 at 03:48:34PM +0300, Peter Pentchev wrote: > > > Correct me if I'm wrong, but IMHO this will only stop cluebies who do > > > not take the time to look and see just *why* the 'default' override > > > does not work. What happens when they change their .login.conf file > > > and override the 'standard' login class instead? > > > > Users cannot change their login class on the system with .login.conf, > > they can only affect certain things such as path statements and such. > > > > Try it yourself and see.. :) > > Yes, but they can override them for whichever class they choose to > specify in their own .login.conf. Venglin's BugTraq post gave as an > example a user .login.conf file consisting of: > > default:\ > :copyright=/etc/master.passwd: > > This overrides the 'default' login class; if the sysadmin changes > the user's login class to 'standard', then what is there to stop > the user from doing the following? > > standard:\ > :copyright=/etc/master.passwd: > > G'luck, > Peter > > -- > because I didn't think of a good beginning of it. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921141937.N99287>