What to do about nologin(8)?
Tim Kientzle
tim at kientzle.com
Mon Feb 23 14:28:04 PST 2004
John Baldwin wrote:
>
> My point (sigh) is that doing system("logger") has the same problem set as
> making nologin dynamic ...
No, it doesn't. Not if you make nologin static and
have it create a fresh environment before running
any external programs. This would also be considerably
more compact than statically linking in the logging functions.
> Also, personally, I would rather have nologin be static than fix the one
> known case of login -p and just hope no other cases pop up in the future.
> Call me paranoid. :)
Armoring nologin(8) is insufficient.
In particular, as David Schultz pointed out, there are a lot
of home-grown nologin scripts out there that are potentially
vulnerable regardless of what we do with the "official"
nologin program.
Tim Kientzle
More information about the freebsd-current
mailing list