cvs commit: src/sbin/nologin Makefile nologin.c

Tim Kientzle tim at
Sun Feb 22 19:49:15 PST 2004

David Schultz wrote:
> On Sun, Feb 22, 2004, Tim Kientzle wrote:
>>Colin Percival wrote:
>>> Report login attempts to syslog.  Due to the statically-linked nature of
>>> nologin(8) ...
>>Why is nologin statically linked?
> Because of environment-poisoning attacks such as the following:
> 	das at VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit
> 	das at VARK:~> \login -p test
> This attack was executed with a dynamically-linked /sbin/nologin
> and a special in the /home/das/exploit directory that
> replaces the _exit() stub with a routine that spawns a shell.

Hmmmm....  Several other solutions come immediately to mind:
   * Handle this in pam (or even in login)
     (Just check if the user's shell is /sbin/nologin and
     reject the login if it is.)
   * Install /sbin/nologin setuid nobody or setgid nogroup
     That would disable LD_LIBRARY_PATH processing for it.
   * Have login -p not pass LD_LIBRARY_PATH

Of these, the first is arguably the best, the second easiest
to implement.  The third I'm unsure about; I can't
really picture a scenario where login -p should pass
LD_LIBRARY_PATH, but that's hardly conclusive.

I agree, by the way, that there should be a way to
"mark" a program as ignoring LD_LIBRARY_PATH at
compile-time (other than making it setuid/setgid).

Tim Kientzle

More information about the cvs-src mailing list