[1363] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Buffer overflow in Linux's login program

daemon@ATHENA.MIT.EDU (Jon Peatfield)
Mon Dec 23 13:43:37 1996

To: linux-security@redhat.com
cc: jp107@damtp.cam.ac.uk
In-reply-to: Your message of "Mon, 23 Dec 1996 12:26:18 EST."
             <199612231726.MAA10676@tarsier.cv.nrao.edu> 
Date: Mon, 23 Dec 1996 18:17:00 +0000
From: Jon Peatfield <J.S.Peatfield@damtp.cam.ac.uk>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

> Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

We always remove the suid bit on login on all our machines.  99.9% of users 
don't use the login command once logged in, and anyway is messes up wtmp/utmp 
entries.  We havn't had a single complaint yet about login not being available.

Some day I really will do a survey to find out which programs actually need 
setuid root.  Very few I'd guess.

[Mod: Just remeber that while by itself suid but does not do much for login,
it tells ld.so to ignore LD_ variables which can be used to supply a fake
libc -- alex]


home help back first fref pref prev next nref lref last post