Date: Sun, 23 Sep 2001 17:02:41 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Robert Watson <rwatson@FreeBSD.ORG>, security@FreeBSD.ORG, current@FreeBSD.ORG, developers@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) Message-ID: <200109240003.f8O037701400@cwsys.cwsent.com> In-Reply-To: Your message of "Sun, 23 Sep 2001 16:13:57 %2B0400." <20010923161354.A426@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010923161354.A426@nagual.pp.ru>, "Andrey A. Chernov"
writes:
> On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote:
>
> > I'll work on the proper fix tomorrow.
>
>
> Planned for commit. Please, review and/or comment.
>
> --- login_cap.c.old Sun Sep 23 16:09:04 2001
> +++ login_cap.c Sun Sep 23 16:06:19 2001
> @@ -184,18 +184,17 @@
> login_cap_t *lc;
>
> if ((lc = malloc(sizeof(login_cap_t))) != NULL) {
> - int r, i = 0;
> + int r, me, i = 0;
> uid_t euid = 0;
> gid_t egid = 0;
> const char *msg = NULL;
> - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir;
> + const char *dir;
> char userpath[MAXPATHLEN];
>
> static char *login_dbarray[] = { NULL, NULL, NULL };
>
> -#ifndef _FILE_LOGIN_CONF_WORKS
> - dir = NULL;
> -#endif
> + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0);
> + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir;
> /*
> * Switch to user mode before checking/reading its ~/.login_conf
> * - some NFSes have root read access disabled.
> @@ -215,7 +214,7 @@
> if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1)
> i++; /* only use 'secure' data */
> }
> - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
> + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1)
> login_dbarray[i++] = _PATH_LOGIN_CONF;
> login_dbarray[i] = NULL;
>
> @@ -227,7 +226,7 @@
>
> switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) {
> case -1: /* Failed, entry does not exist */
> - if (strcmp(name, LOGIN_MECLASS) == 0)
> + if (me)
> break; /* Don't retry default on 'me' */
> if (i == 0)
> r = -1;
After applying the patch and building world the following are logged to
syslog.
Sep 23 13:40:00 cwtest /usr/sbin/cron[17208]: login_getclass: unknown
class 'root'
Sep 23 13:40:00 cwtest /usr/sbin/cron[17207]: login_getclass: unknown
class 'daemon'
Sep 23 13:40:00 cwtest inetd[17213]: login_getclass: unknown class
'daemon'
Rsh between hosts behind my firewall here at home work however rsync,
which uses rsh, does not, an EOF error is displayed.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109240003.f8O037701400>