Date: Tue, 15 May 2001 09:11:37 +0800 (SGT) From: Chan Tur Wei <twchan@singnet.com.sg> To: <stable@FreeBSD.org> Subject: Re: .login_conf can overwrite values from /etc/login.conf Message-ID: <20010515083813.L42639-100000@zaapth.twnet.org> In-Reply-To: <3AFFE691.A3771505@magpage.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thanks for pointing out that part of the man page. I played around with it somemore, and found out that even if /etc/login.conf has filesize-max, the user can override that setting with his .login_conf. What I'm essentially discovering is that the user is not restricted to the "me" keyword in the .login_conf. If he knows his user class, or knows that the system includes the 'default' keyword for his class settings, he can always override the system's settings by using the 'default:' record in his .login_conf. A little dramatized example: twchan's shell is set to /sbin/nologin, but he previously had already set the following in his .login_conf: #me:\ # :charset=iso-8859-1:\ # :lang=de_DE.ISO_8859-1: default:\ :shell=/bin/tcsh:\ :ignorenologin=1: The /sbin/nologin is defeated in this case. Searching through the source, I find the root of the "problem": login_getclassbyname() in /usr/src/lib/libutil will always pick up ~/.login_conf before /etc/login.conf, for all class capability queries, and is not restricted to the "me" class. Thus if a user has a .login_conf with all the correct class records, e.g. 'default', then he effectively is in control of the login class capabilities. Regards -T.W.Chan- On Mon, 14 May 2001, Daniel Frazier wrote: > Date: Mon, 14 May 2001 10:07:13 -0400 > From: Daniel Frazier <dfrazier@magpage.com> > To: Chan Tur Wei <twchan@singnet.com.sg> > Cc: stable@FreeBSD.ORG > Subject: Re: .login_conf can overwrite values from /etc/login.conf > > Chan Tur Wei wrote: > > > > Hi, > > > > Not sure if this has been brought up before, but .login_conf can apparently > > overwrite values in the system's /etc/login.conf. > > > <snip> > > > > Is this really the intended effect? It feels like a big bug to me... > > > > from man login.conf... > > The current (soft) limit is the one normally used, although the user > is permitted to increase the current limit to the maximum (hard) limit. > The maximum and current limits may be specified individually by > appending a -max or -cur to the capability name. > > so unless you have filesize-max defined in /etc/login.conf the user > will be able to increase it in their ~/.login.conf. Not sure if > there's an *implied* someresource-max if someresource(-cur implied) > is defined. > > -- > ---------------------------------------------------------------------- > Daniel Frazier <dfrazier@magpage.com> Tel: 302-239-5900 Ext. 231 > Systems Administrator Fax: 302-239-3909 > MAGPAGE, We Power the Internet WWW: http://www.magpage.com/ > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > - Benjamin Franklin, Historical Review of Pennsylvania, 1759. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010515083813.L42639-100000>