From owner-freebsd-questions  Mon May 31  4:57:25 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from titan.metropolitan.at (mail.metropolitan.at [195.212.98.131])
	by hub.freebsd.org (Postfix) with ESMTP id 9756915082
	for <freebsd-questions@FreeBSD.ORG>; Mon, 31 May 1999 04:57:17 -0700 (PDT)
	(envelope-from mladavac@metropolitan.at)
Received: by TITAN with Internet Mail Service (5.0.1458.49)
	id <LNJ062VR>; Mon, 31 May 1999 14:00:08 +0200
Message-ID: <55586E7391ACD211B9730000C110027617962D@r-lmh-wi-100.corpnet.at>
From: Ladavac Marino <mladavac@metropolitan.at>
To: 'Doug White' <dwhite@resnet.uoregon.edu>,
	Gustavo Lozano Ibarra <glozano@academ02.maz.itesm.mx>
Cc: freebsd-questions@FreeBSD.ORG
Subject: RE: checking a password when I am not root
Date: Mon, 31 May 1999 13:55:00 +0200
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> -----Original Message-----
> From:	Doug White [SMTP:dwhite@resnet.uoregon.edu]
> Sent:	Saturday, May 29, 1999 1:21 AM
> To:	Gustavo Lozano Ibarra
> Cc:	freebsd-questions@FreeBSD.ORG
> Subject:	Re: checking a password when I am not root
> 
> Make the tcl script suid root too?
	[ML]  I would advise against it (you cannot make a script suid
under FreeBSD, and suid root tclsh is a suicide.  suidperl is something
else :)

	You can make a suid root executable which checks a password (it
should expect a password on stdin and exit success if it matched,
otherwise fail--do not use arguments for password passing as ps will
show them) and call this script from tcl library.  This way you do not
even have to code the actual tcl lib part in C--tcl will do.

> You can always drop privileges once you have your password check.
	[ML]  It is way better to delegate this to an external
executable.  tcl does not do the perl kind of taint checking.
Furthermore, there will be no possibility for a cracker to harvest
encripted passwords from the memory image which could possibly be done
with suid tclsh.

> Doug White                               
> Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
> http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message