[1363] in linux-security and linux-alert archive
[linux-security] Re: Buffer overflow in Linux's login program
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Mon Dec 23 13:43:37 1996
To: linux-security@redhat.com
cc: jp107@damtp.cam.ac.uk
In-reply-to: Your message of "Mon, 23 Dec 1996 12:26:18 EST."
<199612231726.MAA10676@tarsier.cv.nrao.edu>
Date: Mon, 23 Dec 1996 18:17:00 +0000
From: Jon Peatfield <J.S.Peatfield@damtp.cam.ac.uk>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> Interim fix: remove SUID bit on /bin/login: chmod a-s /bin/login
We always remove the suid bit on login on all our machines. 99.9% of users
don't use the login command once logged in, and anyway is messes up wtmp/utmp
entries. We havn't had a single complaint yet about login not being available.
Some day I really will do a survey to find out which programs actually need
setuid root. Very few I'd guess.
[Mod: Just remeber that while by itself suid but does not do much for login,
it tells ld.so to ignore LD_ variables which can be used to supply a fake
libc -- alex]