From owner-freebsd-hackers  Tue Nov 26 18:31:57 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA18622
          for hackers-outgoing; Tue, 26 Nov 1996 18:31:57 -0800 (PST)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA18608
          for <hackers@freebsd.org>; Tue, 26 Nov 1996 18:31:51 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id TAA05301; Tue, 26 Nov 1996 19:30:32 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id TAA05954; Tue, 26 Nov 1996 19:24:04 -0700 (MST)
Date: Tue, 26 Nov 1996 19:24:03 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
cc: hackers@freebsd.org
Subject: Re: Replacing sendmail (Re: non-root users binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2
In-Reply-To: <Pine.BSF.3.91.961126090845.1781I-100000@panda.hilink.com.au>
Message-ID: <Pine.BSF.3.95.961126191506.5108D-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

...and one thing that many people don't consider is that having login
setuid root can make accounting based on wtmp files (and anything based on
utmp files) inaccurate.  

eg.
	user@host$ w
	 6:66PM  up 8 days,  6:66, 2 users, load averages: 6.66, 6.66, 6.66
	USER     TTY FROM              LOGIN@  IDLE WHAT
	user     p0  host              7:17PM     - w
	user@host$ sh -c login
	login: user2
	Password:
	user2@host$ exit
	user@host$ w
	 6:66PM  up 8 days,  6:66, 2 users, load averages: 6.66, 6.66, 6.66
	USER     TTY FROM              LOGIN@  IDLE WHAT
	user2    p0  -                 7:17PM     - w
	user@host$ last -2
	user2     ttyp0                     Tue Nov 26 19:18   still logged in
	user      ttyp0    host             Tue Nov 26 19:17 - 19:18  (00:01)


On Tue, 26 Nov 1996, Daniel O'Callaghan wrote:

> 
> 
> On Mon, 25 Nov 1996, Terry Lambert wrote:
> 
> > [ ... sendmail ... ]
> > 
> > > It is also the most used/public suid program in the world, subject to
> > > the most scrutinity (and attack).
> > 
> > login?
> 
> Came up a couple of months ago.  login only needs to be suid root so 
> someone can log in again by executing 'login' rather than logging out, or 
> logging back in.  It also is a candidate for "set me suid root only if 
> needed."
> 
> Danny
>