Date: Wed, 25 Feb 2004 03:07:04 +0300 From: Andrey Chernov <ache@nagual.pp.ru> To: kientzle@acm.org Cc: Colin Percival <colin.percival@wadham.ox.ac.uk> Subject: Re: What to do about nologin(8)? Message-ID: <20040225000702.GC32548@nagual.pp.ru> In-Reply-To: <403BE4BC.9070009@kientzle.com> References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <20040224223659.GB69570@VARK.homeunix.com> <6.0.1.1.1.20040224225502.03dcfb10@imap.sfu.ca> <403BE4BC.9070009@kientzle.com>
index | next in thread | previous in thread | raw e-mail
On Tue, Feb 24, 2004 at 03:56:44PM -0800, Tim Kientzle wrote: > >>(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. > > > > Wearing my member-of-security-team hat, I have to say I'm rather > >unhappy with this idea. It's also been pointed out (by nectar) that > >there are issues with NFS if files are owned by nobody or nogroup. This idea is comes from very narrow vision. What to do, say, with dynamically linked /usr/local/bin/bash? Whole "nologin" story starts again? Please consider that nologin is just innocent single example of general problem with _all_ shells, so it needs to be solved generally too, i.e. in the caller. -- Andrey Chernov | http://ache.pp.ru/help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040225000702.GC32548>