Date: Mon, 23 Feb 2004 12:39:03 -0800 From: Tim Kientzle <tim@kientzle.com> To: John Baldwin <jhb@freebsd.org> Cc: Colin Percival <colin.percival@wadham.ox.ac.uk> Subject: Re: What to do about nologin(8)? Message-ID: <403A64E7.4020607@kientzle.com> In-Reply-To: <200402231516.16586.jhb@FreeBSD.org> References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <1077566329.24177.3.camel@herring.nlsystems.com> <200402231516.16586.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote:
> On Monday 23 February 2004 02:58 pm, Doug Rabson wrote:
>
>>On Mon, 2004-02-23 at 17:45, Colin Percival wrote:
>>
>>> For security reasons, nologin(8) must be statically linked;
>>>as a result, adding logging has increased the binary size ...
>>
>>How about:
>>
>>7: Use 'system("logger ...") to log the failed login?
>
> Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since logger is
> dynamically linked and you could trojan it's libc?
Not if nologin clears the environment first.
Related to this, I think I've found a solution to
the underlying problem: ignore login's "-p"
option if the user shell isn't in /etc/shells.
This blocks environment-poisoning attacks against
nologin via /usr/bin/login.
With this change, it might even be possible to go
back to the shell script version of nologin.
Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?403A64E7.4020607>