From owner-freebsd-security  Sat Sep 22  4:18: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4D04937B421; Sat, 22 Sep 2001 04:17:55 -0700 (PDT)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id f8MBHrJ82986;
	Sat, 22 Sep 2001 15:17:54 +0400 (MSD)
	(envelope-from ache)
Date: Sat, 22 Sep 2001 15:17:52 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: security@FreeBSD.ORG, rwatson@FreeBSD.ORG
Cc: current@FreeBSD.ORG, developers@FreeBSD.ORG
Subject: Re: ~/.login_conf disabling exact reasons wanted
Message-ID: <20010922151752.B82718@nagual.pp.ru>
References: <20010922143942.A82482@nagual.pp.ru> <20010922151116.A82718@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010922151116.A82718@nagual.pp.ru>
User-Agent: Mutt/1.3.21i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Sep 22, 2001 at 15:11:17 +0400, Andrey A. Chernov wrote:
> If you mean his report in BUGTRAQ
> http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=215381&start=2001-09-19&end=2001-09-25
> 
> it is hoax, we don't have such vulnerability in -current as I test. 
> Please TEST things before commiting, especially to all branches. 
> Please back it out.

Why it is hoax? One reason is simple, look at his examples:

----------------------------------------------------
default: :copyright=/etc/master.passwd:

or

 :welcome=/etc/master.passwd:

in user's ~/.login_conf.
---------------------------------------------------

Only "me" class can be defined in ~/.login_conf, anything else ignored 
there. And "me" class picked up only when permissions are set to user 
mode, at the end of setusercontext(). And "copyright" and "welcome" are 
not overwriteable from "me" class in any case.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message