Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Feb 1997 01:03:26 +1100
From:      David Nugent <davidn@labs.usn.blaze.net.au>
To:        Andreas Klemm <andreas@klemm.gtn.com>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: should permissions of /usr/bin/login be changed to 0100 ???
Message-ID:  <19970210010326.55168@usn.blaze.net.au>
In-Reply-To: <19970208135454.ZJ37734@klemm.gtn.com>; from Andreas Klemm on Feb 02, 1997 at 01:54:54PM
References:  <19970208135454.ZJ37734@klemm.gtn.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Feb 02, 1997 at 01:54:54PM, Andreas Klemm wrote:
> >From the OPIE README file:
> [...]
>         While an almost universal "feature", most people remain unaware that
> an intruder can log into a system, then log in again by running the "login"
> command from a shell. Because the second login is from the local host, the
> utmp entry will not show a remote login host anymore. The OPIE replacement
> for /bin/login currently carries on this behavior for compatibility reasons.

Compatibility that is broken, imho. It breaks wtmp (and therefore
last(1)), for example, by having a login record (the original) with
no logout record.


> If you would like to prevent this from happening, you should change the
> permissions of /bin/login to 0100, thus preventing unprivileged users from
> executing it. This fix should work on non-OPIE /bin/login programs as well.

Actually, imho, NO user should be able to execute it. login should
not be setuid. I see no functionality that su(1) doesn't already
take care of.


> Our /usr/bin/login program has the following permissions:
> -r-sr-xr-x  1 root  bin  24576  6 Feb 01:28 /usr/bin/login
> 
> Would it be useful to change permissions to 0100 ?

Just removing the setuid bit makes it harmless, but 0100 will
prevent anyone but root trying, anyway. I'm all for it.


Regards,

David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970210010326.55168>