Date: Sat, 15 Sep 2001 16:22:01 GMT From: ada@unsw.edu.au To: FreeBSD-gnats-submit@freebsd.org Subject: bin/30591: .login_conf is not vetted for settings user should not be able to change Message-ID: <200109151622.f8FGM1g25770@pod.cse.unsw.edu.au>
index | next in thread | raw e-mail
>Number: 30591
>Category: bin
>Synopsis: .login_conf is not vetted for settings user should not be able to change
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 15 09:30:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: &
>Release: FreeBSD 4.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD pod.cse.unsw.edu.au 4.3-RELEASE FreeBSD 4.3-RELEASE #1: Wed Apr 25 04:47:51 GMT 2001 ada@pod.cse.unsw.edu.au:/usr/src/sys/compile/FOO i386
>Description:
The manpage for login.conf(5) describes .login.conf as follows:
In FreeBSD, users may individually create a file called .login_conf in
their home directory using the same format, consisting of a single entry
with a record id of "me". If present, this file is used by login(1) to
set user-defined environment settings which override those specified in
the system login capabilities database. Only a subset of login capabili-
ties may be overridden, typically those which do not involve authentica-
tion, resource limits and accounting.
This is completely utterly bogus.
If, in .login_conf, one has
default:\
this will override system settings for all settings, including those which involve
authentication, resource limits and accounting.
(change default to whatever the login class is.)
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109151622.f8FGM1g25770>