From owner-freebsd-security Sun Feb 11 16:10:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA13252 for security-outgoing; Sun, 11 Feb 1996 16:10:09 -0800 (PST) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA13233 for ; Sun, 11 Feb 1996 16:10:05 -0800 (PST) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id RAA17658; Sun, 11 Feb 1996 17:12:39 -0700 Date: Sun, 11 Feb 1996 17:12:39 -0700 From: Nate Williams Message-Id: <199602120012.RAA17658@rocky.sri.MT.net> To: Michael Constant Cc: freebsd-security@freebsd.org Subject: Re: sliplogin hole? In-Reply-To: <199602112322.PAA13282@zarquon.hip.berkeley.edu> References: <199602112322.PAA13282@zarquon.hip.berkeley.edu> Sender: owner-security@freebsd.org Precedence: bulk > This applies to 2.1-RELEASE, which is what I'm running. Forgive me if > it has been fixed in -current; I haven't seen anything on freebsd-security > about it, though. > > The sliplogin(8) manpage recommends using lines of the following form > in /etc/sliphome/slip.hosts: > > Sfoo `hostname` foo netmask > > The problem with this is that the `hostname` portion is passed directly > to the shell, without any processing -- as root. This means J. Random > Slip-User can create a script called ~/bin/hostname that does whatever > he wants, and (as long as ~/bin is before /bin in his path) his script > will be run as root the next time he types "sliplogin foo". Except that the path supplied to sliplogin is the standard unix path (PATH=:/bin:/usr/bin), which doesn't use anything from the user's home directory (unless it was explicitly set in the shell script. Also, if you are concerned about security, you don't allow your slip-login users to create/modify any of their slip files, which is easy to do as long as you don't give them the same uid's for both shell login and slip login accounts and use paranoid permissions on both accounts. Nate