From owner-freebsd-bugs  Sat Sep 15  9:30: 9 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 6116437B40F
	for <freebsd-bugs@hub.freebsd.org>; Sat, 15 Sep 2001 09:30:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f8FGU1Z20646;
	Sat, 15 Sep 2001 09:30:01 -0700 (PDT)
	(envelope-from gnats)
Received: from pod.cse.unsw.edu.au (ppp2-058.ppp2.cse.unsw.EDU.AU [129.94.241.58])
	by hub.freebsd.org (Postfix) with ESMTP id E434137B406
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 15 Sep 2001 09:22:11 -0700 (PDT)
Received: (from ada@localhost)
	by pod.cse.unsw.edu.au (8.11.3/8.11.3) id f8FGM1g25770;
	Sat, 15 Sep 2001 16:22:01 GMT
	(envelope-from ada)
Message-Id: <200109151622.f8FGM1g25770@pod.cse.unsw.edu.au>
Date: Sat, 15 Sep 2001 16:22:01 GMT
From: ada@unsw.edu.au
Reply-To: ada@unsw.edu.au
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/30591: .login_conf is not vetted for settings user should not be able to change
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         30591
>Category:       bin
>Synopsis:       .login_conf is not vetted for settings user should not be able to change
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 15 09:30:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     &
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD pod.cse.unsw.edu.au 4.3-RELEASE FreeBSD 4.3-RELEASE #1: Wed Apr 25 04:47:51 GMT 2001 ada@pod.cse.unsw.edu.au:/usr/src/sys/compile/FOO i386

>Description:

The manpage for login.conf(5) describes .login.conf as follows:

     In FreeBSD, users may individually create a file called .login_conf in
     their home directory using the same format, consisting of a single entry
     with a record id of "me".  If present, this file is used by login(1) to
     set user-defined environment settings which override those specified in
     the system login capabilities database.  Only a subset of login capabili-
     ties may be overridden, typically those which do not involve authentica-
     tion, resource limits and accounting.

This is completely utterly bogus.

If, in .login_conf, one has

default:\

this will override system settings for all settings, including those which involve
authentication, resource limits and accounting.

(change default to whatever the login class is.)

>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message