Date: Fri, 27 Feb 2004 01:47:45 +0300 From: Andrey Chernov <ache@nagual.pp.ru> To: Arne Schwabe <arne@rfc2549.org> Cc: Colin Percival <colin.percival@wadham.ox.ac.uk> Subject: Re: What to do about nologin(8)? Message-ID: <20040226224744.GA73252@nagual.pp.ru> In-Reply-To: <86hdxdapla.fsf@kamino.rfc1149.org> References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <20040223231219.GA83154@nagual.pp.ru> <86hdxdapla.fsf@kamino.rfc1149.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 26, 2004 at 03:21:37PM +0100, Arne Schwabe wrote: > Andrey Chernov <ache@nagual.pp.ru> writes: > > > On Mon, Feb 23, 2004 at 05:45:07PM +0000, Colin Percival wrote: > >> For security reasons, nologin(8) must be statically linked; > > > > What that mystical reasons are, exactly? I see no one while it is not have > > s-bit set. At least -current /sbin is dynamically linked, so nologin must > > too. > > See for example: http://www.mindsec.com/files/5JP0H2A7PW.html As I already say many times, this is not nologin problem, repeat, no problem with nologin, _all_ 3rd party shells and scripts suffer because of this, it should be fixed in the caller, not in the shell. Even if you "fix" nologin, what home-made shell comes next? -- Andrey Chernov | http://ache.pp.ru/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226224744.GA73252>