Date: Mon, 23 Feb 2004 10:32:16 -0800 From: Tim Kientzle <tim@kientzle.com> To: David Schultz <das@FreeBSD.ORG> Cc: kientzle@acm.org Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c Message-ID: <403A4730.80302@kientzle.com> In-Reply-To: <20040223075448.GA59307@VARK.homeunix.com> References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com> <40397824.3080607@kientzle.com> <20040223052110.GA58255@VARK.homeunix.com> <40399858.8060506@kientzle.com> <20040223075448.GA59307@VARK.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------070207070506060405090704
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
David Schultz wrote:
> On Sun, Feb 22, 2004, Tim Kientzle wrote:
>>
>>Is there any reason why "login -p" should be permitted
>>if the user's shell is not listed in /etc/shells ?
>>
>>chpass already enforces a clear distinction between
>>"standard" and "non-standard" shells. It seems reasonable
>>for login(1) to also be aware of that distinction.
>
> I suppose the same reasoning would also apply to su and sshd,
> although it's not such a big deal for sshd anymore.
su already enforces restrictions on non-standard shells.
> Since
> nonstandard shells are generally intended to restrict the
> abilities of a user, it would be nice if those shells always
> operated in a sanitized environment.
The attached patch implements this suggestion.
I just copied "chshell" from su (shouldn't some version
of this be in libc?) and made the obvious change.
If you could test this (you seem to already have
the exploit code in place), I'd much appreciate.
If it works as advertised and noone objects,
please commit.
Tim Kientzle
--------------070207070506060405090704
Content-Type: text/plain;
name="kientzle-login.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="kientzle-login.diff"
Index: login.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/login/login.c,v
retrieving revision 1.98
diff -r1.98 login.c
86a87
> static int chshell(const char *);
468c469,471
< * preservation - but preserve TERM in all cases
---
> * preservation or the user has a non-standard shell. In
> * particular, this prevents environment-poisoning exploits
> * against nologin scripts. Preserve TERM in all cases.
471c474
< if (!pflag)
---
> if (!pflag || !chshell(shell))
936a940,959
>
> /*
> * Return TRUE if the shell is a "standard" shell.
> * (That is, one listed in /etc/shells.)
> */
> static int
> chshell(const char *sh)
> {
> int r;
> const char *cp;
>
> r = 0;
> setusershell();
> while ((cp = getusershell()) != NULL && !r)
> r = (strcmp(cp, sh) == 0);
> endusershell();
> return r;
> }
>
>
--------------070207070506060405090704--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?403A4730.80302>