From owner-freebsd-security  Thu Aug 17 06:58:16 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id GAA12786
          for security-outgoing; Thu, 17 Aug 1995 06:58:16 -0700
Received: from pain.csrv.uidaho.edu (pain.csrv.uidaho.edu [129.101.114.109])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id GAA12780
          for <security@freebsd.org>; Thu, 17 Aug 1995 06:58:14 -0700
Received: from pain.csrv.uidaho.edu (localhost [127.0.0.1]) by pain.csrv.uidaho.edu (8.6.11/8.6.9) with ESMTP id GAA22209; Thu, 17 Aug 1995 06:46:59 -0700
Message-Id: <199508171346.GAA22209@pain.csrv.uidaho.edu>
To: kelly@fsl.noaa.gov (Sean Kelly)
cc: terry@vector.eikon.e-technik.tu-muenchen.de, security@freebsd.org
Subject: Re: Login hole 
In-reply-to: Your message of "Thu, 17 Aug 1995 07:14:13 MDT."
             <9508171314.AA03564@emu.fsl.noaa.gov> 
X-Web: <"http://www.cs.uidaho.edu:8000/"> 
X-OS: 4.4BSD derivatives 
Date: Thu, 17 Aug 1995 06:46:58 -0700
From: Faried Nawaz <fn@pain.csrv.uidaho.edu>
Sender: security-owner@freebsd.org
Precedence: bulk


Sean Kelly wrote...

   >>>>> "Terry" == Terry Carroll <terry@vector.eikon.e-technik.tu-muenchen.de>
   writes:
   
       Terry> Login with no home directory should be denied for normal
       Terry> user.  Should not drop one into /.

edit /usr/src/usr.bin/login/login.c and play with lines 349-354.


   I realize precedent isn't necessarily a good reason for inaction, but
   on every SysV and BSD system I've used, no login directory leaves you
   in /.  Some of my users find this behavior convenient ... if the NFS
   server for their home directories is down, they can still read mail.

i believe hp-ux 9.x doesn't let you on if you have no ~.  i think that
happens only if your passwd entry is managed by nis, though.