From owner-freebsd-current@FreeBSD.ORG Mon Feb 23 12:52:19 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3900216A4CF for ; Mon, 23 Feb 2004 12:52:19 -0800 (PST) Received: from mail3.speakeasy.net (mail3.speakeasy.net [216.254.0.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C59B43D2F for ; Mon, 23 Feb 2004 12:52:19 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: (qmail 22027 invoked from network); 23 Feb 2004 20:52:18 -0000 Received: from dsl027-160-063.atl1.dsl.speakeasy.net (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) encrypted SMTP for ; 23 Feb 2004 20:52:18 -0000 Received: from 10.50.40.205 (gw1.twc.weather.com [216.133.140.1]) by server.baldwin.cx (8.12.10/8.12.10) with ESMTP id i1NKqB28032200; Mon, 23 Feb 2004 15:52:11 -0500 (EST) (envelope-from jhb@FreeBSD.org) From: John Baldwin To: kientzle@acm.org Date: Mon, 23 Feb 2004 15:53:34 -0500 User-Agent: KMail/1.6 References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <200402231516.16586.jhb@FreeBSD.org> <403A64E7.4020607@kientzle.com> In-Reply-To: <403A64E7.4020607@kientzle.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200402231553.34677.jhb@FreeBSD.org> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server.baldwin.cx cc: current@freebsd.org cc: Colin Percival Subject: Re: What to do about nologin(8)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 20:52:19 -0000 On Monday 23 February 2004 03:39 pm, Tim Kientzle wrote: > John Baldwin wrote: > > On Monday 23 February 2004 02:58 pm, Doug Rabson wrote: > >>On Mon, 2004-02-23 at 17:45, Colin Percival wrote: > >>> For security reasons, nologin(8) must be statically linked; > >>>as a result, adding logging has increased the binary size ... > >> > >>How about: > >> > >>7: Use 'system("logger ...") to log the failed login? > > > > Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since > > logger is dynamically linked and you could trojan it's libc? > > Not if nologin clears the environment first. > > Related to this, I think I've found a solution to > the underlying problem: ignore login's "-p" > option if the user shell isn't in /etc/shells. > > This blocks environment-poisoning attacks against > nologin via /usr/bin/login. > > With this change, it might even be possible to go > back to the shell script version of nologin. My point (sigh) is that doing system("logger") has the same problem set as making nologin dynamic, so it's not a solution to the original problem. Also, personally, I would rather have nologin be static than fix the one known case of login -p and just hope no other cases pop up in the future. Call me paranoid. :) -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.org