What to do about nologin(8)?
John Baldwin
jhb at FreeBSD.org
Mon Feb 23 12:15:31 PST 2004
On Monday 23 February 2004 02:58 pm, Doug Rabson wrote:
> On Mon, 2004-02-23 at 17:45, Colin Percival wrote:
> > As anyone who reads cvs-all (or Mark Johnston's wonderful
> > summaries thereof) will know, I recently added logging into
> > nologin(8): Instead of simply printing an error message, it
> > now (via syslog) records the refused login attempt.
> > For security reasons, nologin(8) must be statically linked;
> > as a result, adding logging has increased the binary size by
> > slightly over 100K (on i386). For historical reasons (which
> > is to say, "nobody seems to know why"), nologin is located in
> > /sbin, which means that this has a non-trivial effect upon
> > the space used on the root partition. Some people are unhappy
> > about this.
> > I can see a number of possible options; I'd like to hear
> > opinions on which would be the best.
>
> How about:
>
> 7: Use 'system("logger ...") to log the failed login?
Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since logger is
dynamically linked and you could trojan it's libc?
--
John Baldwin <jhb at FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" = http://www.FreeBSD.org
More information about the freebsd-current
mailing list