Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Feb 2004 15:16:16 -0500
From:      John Baldwin <jhb@FreeBSD.org>
To:        current@FreeBSD.org
Cc:        Colin Percival <colin.percival@wadham.ox.ac.uk>
Subject:   Re: What to do about nologin(8)?
Message-ID:  <200402231516.16586.jhb@FreeBSD.org>
In-Reply-To: <1077566329.24177.3.camel@herring.nlsystems.com>
References:  <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <1077566329.24177.3.camel@herring.nlsystems.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 23 February 2004 02:58 pm, Doug Rabson wrote:
> On Mon, 2004-02-23 at 17:45, Colin Percival wrote:
> >    As anyone who reads cvs-all (or Mark Johnston's wonderful
> > summaries thereof) will know, I recently added logging into
> > nologin(8): Instead of simply printing an error message, it
> > now (via syslog) records the refused login attempt.
> >    For security reasons, nologin(8) must be statically linked;
> > as a result, adding logging has increased the binary size by
> > slightly over 100K (on i386).  For historical reasons (which
> > is to say, "nobody seems to know why"), nologin is located in
> > /sbin, which means that this has a non-trivial effect upon
> > the space used on the root partition.  Some people are unhappy
> > about this.
> >    I can see a number of possible options; I'd like to hear
> > opinions on which would be the best.
>
> How about:
>
> 7: Use 'system("logger ...") to log the failed login?

Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since logger is 
dynamically linked and you could trojan it's libc?

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402231516.16586.jhb>