What to do about nologin(8)?
John Baldwin
jhb at FreeBSD.org
Mon Feb 23 12:52:19 PST 2004
On Monday 23 February 2004 03:39 pm, Tim Kientzle wrote:
> John Baldwin wrote:
> > On Monday 23 February 2004 02:58 pm, Doug Rabson wrote:
> >>On Mon, 2004-02-23 at 17:45, Colin Percival wrote:
> >>> For security reasons, nologin(8) must be statically linked;
> >>>as a result, adding logging has increased the binary size ...
> >>
> >>How about:
> >>
> >>7: Use 'system("logger ...") to log the failed login?
> >
> > Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since
> > logger is dynamically linked and you could trojan it's libc?
>
> Not if nologin clears the environment first.
>
> Related to this, I think I've found a solution to
> the underlying problem: ignore login's "-p"
> option if the user shell isn't in /etc/shells.
>
> This blocks environment-poisoning attacks against
> nologin via /usr/bin/login.
>
> With this change, it might even be possible to go
> back to the shell script version of nologin.
My point (sigh) is that doing system("logger") has the same problem set as
making nologin dynamic, so it's not a solution to the original problem.
Also, personally, I would rather have nologin be static than fix the one
known case of login -p and just hope no other cases pop up in the future.
Call me paranoid. :)
--
John Baldwin <jhb at FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" = http://www.FreeBSD.org
More information about the freebsd-current
mailing list