Date: Fri, 21 Sep 2001 09:40:39 -0700 (PDT) From: David Kirchner <davidk@accretivetg.com> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Marc Rogers <marcr@shady.org>, Peter Pentchev <roam@ringlet.net>, Rob Andrews <rob@cyberpunkz.org>, <FreeBSD-Security@FreeBSD.ORG> Subject: Re: login_conf vulnerability. Message-ID: <20010921093907.C85958-100000@localhost> In-Reply-To: <20010921173502.A62350@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Sep 2001, Andrey A. Chernov wrote:
> It is SSH+LOGIN_CAP integration bug. SSH should call setusercontext()
> before accessing "copyright" and "welcome" properties, as /usr/bin/login
> does.
This is from 4.2R source. Would this be the location to patch?
Line 967 session.c:
if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0)
would that be replaced with how it is in login:
if (setusercontext(lc, pw, pw->pw_uid, \
LOGIN_SETALL & ~LOGIN_SETLOGIN) < 0)
?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921093907.C85958-100000>