Date: Sat, 22 Sep 2001 15:17:52 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: security@FreeBSD.ORG, rwatson@FreeBSD.ORG Cc: current@FreeBSD.ORG, developers@FreeBSD.ORG Subject: Re: ~/.login_conf disabling exact reasons wanted Message-ID: <20010922151752.B82718@nagual.pp.ru> In-Reply-To: <20010922151116.A82718@nagual.pp.ru> References: <20010922143942.A82482@nagual.pp.ru> <20010922151116.A82718@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 22, 2001 at 15:11:17 +0400, Andrey A. Chernov wrote: > If you mean his report in BUGTRAQ > http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=215381&start=2001-09-19&end=2001-09-25 > > it is hoax, we don't have such vulnerability in -current as I test. > Please TEST things before commiting, especially to all branches. > Please back it out. Why it is hoax? One reason is simple, look at his examples: ---------------------------------------------------- default: :copyright=/etc/master.passwd: or :welcome=/etc/master.passwd: in user's ~/.login_conf. --------------------------------------------------- Only "me" class can be defined in ~/.login_conf, anything else ignored there. And "me" class picked up only when permissions are set to user mode, at the end of setusercontext(). And "copyright" and "welcome" are not overwriteable from "me" class in any case. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010922151752.B82718>