Date: Mon, 23 Feb 2004 11:05:50 -0800 From: Tim Kientzle <tim@kientzle.com> To: David Schultz <das@FreeBSD.ORG> Cc: kientzle@acm.org Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c Message-ID: <403A4F0E.6000506@kientzle.com> In-Reply-To: <20040223075448.GA59307@VARK.homeunix.com> References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com> <40397824.3080607@kientzle.com> <20040223052110.GA58255@VARK.homeunix.com> <40399858.8060506@kientzle.com> <20040223075448.GA59307@VARK.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Discussion moved to -hackers...]
David Schultz wrote:
> On Sun, Feb 22, 2004, Tim Kientzle wrote:
>
>>David Schultz wrote:
>>
>>>One unfortunate side-effect [of dynamic /bin is that] custom
>>>versions of nologin that people have written as shell scripts are
>>>now insecure.
>>
>>Is there any reason why "login -p" should be permitted
>>if the user's shell is not listed in /etc/shells ?
>>
>>chpass already enforces a clear distinction between
>>"standard" and "non-standard" shells. It seems reasonable
>>for login(1) to also be aware of that distinction.
>
> Good point. I don't know of any reason for the present behavior.
> I suppose the same reasoning would also apply to su and sshd ...
And possibly telnetd?
Looking at telnetd, it uses the "-p" option to login
to preserve TERM. But our login always preserves
TERM, regardless, so I think this could be removed.
I'm not entirely sure, though. There are many layers
of #if/#else/#endif in that code, so I might be mis-reading things
here. Our telnetd is also vendor code, so it would
be advisable to limit changes to the code directly.
It looks like it might suffice to add
CFLAGS += -DNO_LOGIN_P
to src/libexec/telnetd/Makefile.
Thoughts?
Tim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?403A4F0E.6000506>