From owner-freebsd-hackers  Wed Oct 30 12:36:56 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA27463
          for hackers-outgoing; Wed, 30 Oct 1996 12:36:56 -0800 (PST)
Received: from starfire.mn.org (root@starfire.skypoint.net [199.86.32.187])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA27453
          for <hackers@FreeBSD.ORG>; Wed, 30 Oct 1996 12:36:50 -0800 (PST)
From: john@starfire.mn.org
Received: (from john@localhost)
	by starfire.mn.org (8.7.5/1.1)  id OAA03828; Wed, 30 Oct 1996 14:35:20 -0600 (CST)
Message-Id: <199610302035.OAA03828@starfire.mn.org>
Subject: Re: rlogind user name restrictions
To: guido@gvr.win.tue.nl (Guido van Rooij)
Date: Wed, 30 Oct 1996 14:35:19 -0600 (CST)
Cc: hackers@FreeBSD.ORG
In-Reply-To: <199610301956.UAA09626@gvr.win.tue.nl> from "Guido van Rooij" at Oct 30, 96 08:56:19 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Guido van Rooij wrote:
> 
> john@starfire.mn.org wrote:
> > I understand the restriction on not passing a "username" to login that
> > STARTS with '-', but I do not understand the restriction on it anywhere
> > in the "lusername" string.  Would any BAD THINGS happen if I relaxed
> > the restriction to only check for the first character?
> > 
> > The thing is, we have a user "star-net"...
> 
> Yes you are right.
> This has long been fixed in current.

Great!  Thanks.

> Here is the patch:

Well, I was about to say that it looks exactly like mine, only IT
DOESN'T!  Here's why...

> --- /usr/src/libexec/rlogind/rlogind.c	Sun Jun 23 15:07:44 1996
> +++ /tmp/rlogind.c	Wed Oct 30 20:55:23 1996
> @@ -293,7 +293,7 @@
>  		if (f > 2)	/* f should always be 0, but... */
>  			(void) close(f);
>  		setup_term(0);
> -		if (strchr(lusername, '-')) {
> +		if (lusername == '-') {
                    ^^^^^^^^^
Shouldn't this be "*lusername" or "lusername[0]"?????????

Unless this is simply a typo, the security we once had on this
matter is toast, since that pointer is never going to be equal
to '-'...

Even doing this, has it been checked that there are no throw-away
characters that login might skip over that would make the corrected
test ineffectual?  I'm not that totally familiar with the internal
operation of "getopt" that I could speak authoritatively to this
issue, which is why I didn't submit my diffs in the first place.
That was what I meant by "BAD THINGS".

>  			syslog(LOG_ERR, "tried to pass user \"%s\" to login",
>  			       lusername);
>  			fatal(STDERR_FILENO, "invalid user", 0);

		 John Lind, Starfire Consulting Services
E-mail: john@starfire.MN.ORG	    USnail: PO Box 17247, Mpls MN  55417