From owner-freebsd-current@FreeBSD.ORG Mon Feb 23 12:15:31 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05BDE16A4CE for ; Mon, 23 Feb 2004 12:15:31 -0800 (PST) Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCECB43D2D for ; Mon, 23 Feb 2004 12:15:30 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: (qmail 5711 invoked from network); 23 Feb 2004 20:14:58 -0000 Received: from dsl027-160-063.atl1.dsl.speakeasy.net (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) encrypted SMTP for ; 23 Feb 2004 20:14:58 -0000 Received: from 10.50.40.205 (gw1.twc.weather.com [216.133.140.1]) by server.baldwin.cx (8.12.10/8.12.10) with ESMTP id i1NKEr29031958; Mon, 23 Feb 2004 15:14:55 -0500 (EST) (envelope-from jhb@FreeBSD.org) From: John Baldwin To: current@FreeBSD.org Date: Mon, 23 Feb 2004 15:16:16 -0500 User-Agent: KMail/1.6 References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <1077566329.24177.3.camel@herring.nlsystems.com> In-Reply-To: <1077566329.24177.3.camel@herring.nlsystems.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200402231516.16586.jhb@FreeBSD.org> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server.baldwin.cx cc: freebsd-current@freebsd.org cc: Colin Percival Subject: Re: What to do about nologin(8)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 20:15:31 -0000 On Monday 23 February 2004 02:58 pm, Doug Rabson wrote: > On Mon, 2004-02-23 at 17:45, Colin Percival wrote: > > As anyone who reads cvs-all (or Mark Johnston's wonderful > > summaries thereof) will know, I recently added logging into > > nologin(8): Instead of simply printing an error message, it > > now (via syslog) records the refused login attempt. > > For security reasons, nologin(8) must be statically linked; > > as a result, adding logging has increased the binary size by > > slightly over 100K (on i386). For historical reasons (which > > is to say, "nobody seems to know why"), nologin is located in > > /sbin, which means that this has a non-trivial effect upon > > the space used on the root partition. Some people are unhappy > > about this. > > I can see a number of possible options; I'd like to hear > > opinions on which would be the best. > > How about: > > 7: Use 'system("logger ...") to log the failed login? Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since logger is dynamically linked and you could trojan it's libc? -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.org