Date: Mon, 31 May 1999 13:55:00 +0200 From: Ladavac Marino <mladavac@metropolitan.at> To: 'Doug White' <dwhite@resnet.uoregon.edu>, Gustavo Lozano Ibarra <glozano@academ02.maz.itesm.mx> Cc: freebsd-questions@FreeBSD.ORG Subject: RE: checking a password when I am not root Message-ID: <55586E7391ACD211B9730000C110027617962D@r-lmh-wi-100.corpnet.at>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Doug White [SMTP:dwhite@resnet.uoregon.edu] > Sent: Saturday, May 29, 1999 1:21 AM > To: Gustavo Lozano Ibarra > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: checking a password when I am not root > > Make the tcl script suid root too? [ML] I would advise against it (you cannot make a script suid under FreeBSD, and suid root tclsh is a suicide. suidperl is something else :) You can make a suid root executable which checks a password (it should expect a password on stdin and exit success if it matched, otherwise fail--do not use arguments for password passing as ps will show them) and call this script from tcl library. This way you do not even have to code the actual tcl lib part in C--tcl will do. > You can always drop privileges once you have your password check. [ML] It is way better to delegate this to an external executable. tcl does not do the perl kind of taint checking. Furthermore, there will be no possibility for a cracker to harvest encripted passwords from the memory image which could possibly be done with suid tclsh. > Doug White > Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve > http://gladstone.uoregon.edu/~dwhite | www.freebsd.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55586E7391ACD211B9730000C110027617962D>