Date: Wed, 25 Feb 2004 10:57:38 +0100 From: Richard Nyberg <rnyberg@it.su.se> To: Ian Freislich <if@hetzner.co.za> Cc: kientzle@acm.org Subject: Re: What to do about nologin(8)? Message-ID: <m1ishviir1.wl@murmeldjur.it.su.se> In-Reply-To: <E1AvtaH-0007DM-00@hetzner.co.za> References: <ache@nagual.pp.ru> <20040225000702.GC32548@nagual.pp.ru> <E1AvtaH-0007DM-00@hetzner.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At Wed, 25 Feb 2004 09:35:57 +0200,
Ian Freislich wrote:
>
> > On Tue, Feb 24, 2004 at 03:56:44PM -0800, Tim Kientzle wrote:
> > > >>(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH.
> > > >
> > > > Wearing my member-of-security-team hat, I have to say I'm rather
> > > >unhappy with this idea. It's also been pointed out (by nectar) that
> > > >there are issues with NFS if files are owned by nobody or nogroup.
> >
> > This idea is comes from very narrow vision. What to do, say, with
> > dynamically linked /usr/local/bin/bash? Whole "nologin" story starts
>
> Interestingly /usr/local/bin/bash is statically linked by default.
> Well, the bash2 port is at least.
>
> [ian] ~ $ ldd /usr/local/bin/bash
> ldd: /usr/local/bin/bash: not a dynamic executable
>
FYI: that has recently changed.
-Richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m1ishviir1.wl>