Date: Thu, 26 Feb 2004 11:14:40 +0100 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: kientzle@acm.org Cc: das@freebsd.org Subject: Re: Environment Poisoning and login -p Message-ID: <xzpwu6a171r.fsf@dwp.des.no> In-Reply-To: <403CEF67.5040004@kientzle.com> (Tim Kientzle's message of "Wed, 25 Feb 2004 10:54:31 -0800") References: <403CEF67.5040004@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tim Kientzle <tim@kientzle.com> writes: > There's been an ongoing discussion (started by > Colin Percival's recent work on nologin) about > environment-poisoning attacks via "login -p". > [...] You missed the obvious solution: remove login(1)'s setuid bit so it only works if you are already root. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpwu6a171r.fsf>