What to do about nologin(8)?
Andrey Chernov
ache at nagual.pp.ru
Tue Feb 24 16:17:48 PST 2004
On Tue, Feb 24, 2004 at 10:27:58AM -0500, John Baldwin wrote:
> > Armoring nologin(8) is insufficient.
Yes.
> > In particular, as David Schultz pointed out, there are a lot
> > of home-grown nologin scripts out there that are potentially
> > vulnerable regardless of what we do with the "official"
> > nologin program.
>
> Then do both. :)
People please be aware that it is not nologin problem at all, so please
not touch nologin in this direction. F.e. any 3rd party shell from ports
or any home-grown admin shells/scripts _generally_ suffer of this problem.
It means that login, telnetd, su etc. whatever log in and call shell
should be fixed to never pas LD_* variables to the shell. Don't pick one
particular shell (nologin) and think you are secure.
--
Andrey Chernov | http://ache.pp.ru/
More information about the freebsd-current
mailing list