From owner-freebsd-hackers@FreeBSD.ORG  Mon Feb 23 11:12:38 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8E9CC16A4CE; Mon, 23 Feb 2004 11:12:38 -0800 (PST)
Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net
	[66.166.149.50])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6E6A643D1F; Mon, 23 Feb 2004 11:12:38 -0800 (PST)
	(envelope-from tim@kientzle.com)
Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged))
	by kientzle.com (8.12.9/8.12.9) with ESMTP id i1NJ5okX093565;
	Mon, 23 Feb 2004 11:05:50 -0800 (PST)
	(envelope-from tim@kientzle.com)
Message-ID: <403A4F0E.6000506@kientzle.com>
Date: Mon, 23 Feb 2004 11:05:50 -0800
From: Tim Kientzle <tim@kientzle.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Schultz <das@FreeBSD.ORG>
References: <200402221003.i1MA3PW0024791@repoman.freebsd.org>
	<403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com>
	<40397824.3080607@kientzle.com> <20040223052110.GA58255@VARK.homeunix.com>
	<40399858.8060506@kientzle.com> <20040223075448.GA59307@VARK.homeunix.com>
In-Reply-To: <20040223075448.GA59307@VARK.homeunix.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-hackers@FreeBSD.ORG
cc: Colin Percival <cperciva@FreeBSD.ORG>
cc: kientzle@acm.org
Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: kientzle@acm.org
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2004 19:12:38 -0000

[Discussion moved to -hackers...]

David Schultz wrote:
> On Sun, Feb 22, 2004, Tim Kientzle wrote:
> 
>>David Schultz wrote:
>>
>>>One unfortunate side-effect [of dynamic /bin is that] custom
>>>versions of nologin that people have written as shell scripts are
>>>now insecure.
>>
>>Is there any reason why "login -p" should be permitted
>>if the user's shell is not listed in /etc/shells ?
>>
>>chpass already enforces a clear distinction between
>>"standard" and "non-standard" shells.  It seems reasonable
>>for login(1) to also be aware of that distinction.
> 
> Good point.  I don't know of any reason for the present behavior.
> I suppose the same reasoning would also apply to su and sshd  ...

And possibly telnetd?

Looking at telnetd, it uses the "-p" option to login
to preserve TERM.  But our login always preserves
TERM, regardless, so I think this could be removed.

I'm not entirely sure, though.  There are many layers
of #if/#else/#endif in that code, so I might be mis-reading things
here.  Our telnetd is also vendor code, so it would
be advisable to limit changes to the code directly.
It looks like it might suffice to add

    CFLAGS += -DNO_LOGIN_P

to src/libexec/telnetd/Makefile.

Thoughts?

Tim