Date: Mon, 10 Feb 1997 01:03:26 +1100 From: David Nugent <davidn@labs.usn.blaze.net.au> To: Andreas Klemm <andreas@klemm.gtn.com> Cc: freebsd-hackers@freebsd.org Subject: Re: should permissions of /usr/bin/login be changed to 0100 ??? Message-ID: <19970210010326.55168@usn.blaze.net.au> In-Reply-To: <19970208135454.ZJ37734@klemm.gtn.com>; from Andreas Klemm on Feb 02, 1997 at 01:54:54PM References: <19970208135454.ZJ37734@klemm.gtn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 02, 1997 at 01:54:54PM, Andreas Klemm wrote: > >From the OPIE README file: > [...] > While an almost universal "feature", most people remain unaware that > an intruder can log into a system, then log in again by running the "login" > command from a shell. Because the second login is from the local host, the > utmp entry will not show a remote login host anymore. The OPIE replacement > for /bin/login currently carries on this behavior for compatibility reasons. Compatibility that is broken, imho. It breaks wtmp (and therefore last(1)), for example, by having a login record (the original) with no logout record. > If you would like to prevent this from happening, you should change the > permissions of /bin/login to 0100, thus preventing unprivileged users from > executing it. This fix should work on non-OPIE /bin/login programs as well. Actually, imho, NO user should be able to execute it. login should not be setuid. I see no functionality that su(1) doesn't already take care of. > Our /usr/bin/login program has the following permissions: > -r-sr-xr-x 1 root bin 24576 6 Feb 01:28 /usr/bin/login > > Would it be useful to change permissions to 0100 ? Just removing the setuid bit makes it harmless, but 0100 will prevent anyone but root trying, anyway. I'm all for it. Regards, David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970210010326.55168>