Skip site navigation (1)Skip section navigation (2) 
Date:      Fri,  3 Nov 1995 16:03:36 +0300 (MSK)
From:      =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) <ache@astral.msk.su>
To:        Peter Wemm <peter@jhome.DIALix.COM>
Cc:        CVS-commiters@freefall.freebsd.org, security@freebsd.org
Subject:   Re: cvs commit: CVSROOT log_accum.pl
Message-ID:  <hCeCXcmO4C@ache.dialup.demos.ru>
In-Reply-To: <Pine.BSF.3.91.951102214104.2078D-100000@jhome.DIALix.COM>; from Peter Wemm at Thu, 2 Nov 1995 21:54:51 %2B0800 (WST)
References:  <Pine.BSF.3.91.951102214104.2078D-100000@jhome.DIALix.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <Pine.BSF.3.91.951102214104.2078D-100000@jhome.DIALix.COM>
    Peter Wemm writes:

>On Thu, 2 Nov 1995, =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= wrote:
>> In message <Pine.BSF.3.91.951102192412.2078B-100000@jhome.DIALix.COM>
>>     Peter Wemm writes:
>> 
>> >Maybe the setlogin() call should only work for processes that are the 
>> >session leader rather than just "one of many in the session"?
>> 
>> It is definitely so, and check for session leader must be added
>> to setlogin syscall.
>> Even manpage says that setlogin affects only _current_ session.
>> 
>> Proposed fix:
>> 
>> *** kern_prot.c.bak	Thu Nov  2 16:05:11 1995
>> --- kern_prot.c	Thu Nov  2 16:08:29 1995
>> ***************
>> *** 623,628 ****
>> --- 623,630 ----
>>   {
>>   	int error;
>>   
>> + 	if (!SESS_LEADER(p))
>> + 		return (EPERM);
>>   	if ((error = suser(p->p_ucred, &p->p_acflag)))
>>   		return (error);
>>   	error = copyinstr((caddr_t) uap->namebuf,

>This is a pretty brutal fix.. :-)  I think we'd better check what's going 
>to break first before we do this.  inetd will need to be modified first 
>and installed before the kernel is patched or all hell could break loose.

Well, here list of programs which calls setlogin:

init
rexecd
rshd
login

After your inetd fix what else can be affected with my patch?
Setlogin isn't suppose to do group operation, i.e. mass login id changes,
and must affect only current session.
It must be applied in any case, independently what can be affected,
according to manpage (and common sense too). Moreover, when it will be
applied, it will be easy to find, what is affected and fix it.

-- 
Andrey A. Chernov        : And I rest so composedly,  /Now, in my bed,
ache@astral.msk.su       : That any beholder  /Might fancy me dead -
http://dt.demos.su/~ache : Might start at beholding me,  /Thinking me dead.
RELCOM Team,FreeBSD Team :         E.A.Poe         From "For Annie" 1849

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hCeCXcmO4C>