Date: Sun, 23 Sep 2001 17:02:41 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Robert Watson <rwatson@FreeBSD.ORG>, security@FreeBSD.ORG, current@FreeBSD.ORG, developers@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) Message-ID: <200109240003.f8O037701400@cwsys.cwsent.com> In-Reply-To: Your message of "Sun, 23 Sep 2001 16:13:57 %2B0400." <20010923161354.A426@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010923161354.A426@nagual.pp.ru>, "Andrey A. Chernov" writes: > On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > > I'll work on the proper fix tomorrow. > > > Planned for commit. Please, review and/or comment. > > --- login_cap.c.old Sun Sep 23 16:09:04 2001 > +++ login_cap.c Sun Sep 23 16:06:19 2001 > @@ -184,18 +184,17 @@ > login_cap_t *lc; > > if ((lc = malloc(sizeof(login_cap_t))) != NULL) { > - int r, i = 0; > + int r, me, i = 0; > uid_t euid = 0; > gid_t egid = 0; > const char *msg = NULL; > - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; > + const char *dir; > char userpath[MAXPATHLEN]; > > static char *login_dbarray[] = { NULL, NULL, NULL }; > > -#ifndef _FILE_LOGIN_CONF_WORKS > - dir = NULL; > -#endif > + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); > + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; > /* > * Switch to user mode before checking/reading its ~/.login_conf > * - some NFSes have root read access disabled. > @@ -215,7 +214,7 @@ > if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) > i++; /* only use 'secure' data */ > } > - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > login_dbarray[i++] = _PATH_LOGIN_CONF; > login_dbarray[i] = NULL; > > @@ -227,7 +226,7 @@ > > switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { > case -1: /* Failed, entry does not exist */ > - if (strcmp(name, LOGIN_MECLASS) == 0) > + if (me) > break; /* Don't retry default on 'me' */ > if (i == 0) > r = -1; After applying the patch and building world the following are logged to syslog. Sep 23 13:40:00 cwtest /usr/sbin/cron[17208]: login_getclass: unknown class 'root' Sep 23 13:40:00 cwtest /usr/sbin/cron[17207]: login_getclass: unknown class 'daemon' Sep 23 13:40:00 cwtest inetd[17213]: login_getclass: unknown class 'daemon' Rsh between hosts behind my firewall here at home work however rsync, which uses rsh, does not, an EOF error is displayed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109240003.f8O037701400>