Date: Fri, 4 Jan 2002 16:51:19 +1100 From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: freebsd-security@FreeBSD.ORG Subject: Re: nologin hole? Message-ID: <20020104165117.A14133@squeaky.robbins.dropbear.id.au> In-Reply-To: <E16MLol-000FEJ-00@f8.mail.ru>; from podkorytov@mail.ru on Fri, Jan 04, 2002 at 07:18:55AM %2B0300 References: <E16MLol-000FEJ-00@f8.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 04, 2002 at 07:18:55AM +0300, ??????? ?????????? wrote:
> 1. In case of breaking this script user has root access to system. (See man
> sh, key -p )
The -p option doesn't magically grant root privileges. It simply tells the
shell not to use environment variables and ~/.profile.
> PS:on FreeBSD v.4.1 ps -x not viewed programms, thats
> running code function Exit(), called from atexit(Exit).
> It Bug ? I used top command for view PID NoLogin.
I can't reproduce this on -CURRENT.
What I can't figure out is why /sbin/nologin is a shell script at all, and
not something like this:
#include <unistd.h>
#include <sysexits.h>
int main (void)
{
#define MSG "This account is currently not available.\n"
write (STDERR_FILENO, MSG, sizeof(MSG) - 1);
exit (EX_UNAVAILABLE);
}
It seems wasteful and possibly dangerous to start a shell.
Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020104165117.A14133>