[2069] in linux-security and linux-alert archive
[linux-security] Re: /bin/login problem
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Sun Sep 6 22:20:18 1998
To: linux-security@redhat.com
Date: Fri, 4 Sep 1998 23:21:29 +0200 (MEST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Eric Dedrick wrote:
[...]
> login: mistake
[...]
> a ps will show, among other things,
>
> 2333 /bin/login --mistake.
>
> Since some users accidentally type their password at the login prompt,
> this is a concern.
Some people are writing linux security and suggesting that login could
rewrite its argv to fix this. However even if the string is just
momentarlily visible, it should be considered a serious problem.
What we need to do is change the interface between getty and login.
But backward compatibility is also an issue.
For example we could do the following:
An adapted login can rewrite its argv as soon as possible. This to
remain compatible with getty's that don't know about the newer
interface.
If a new login finds "no_such_user" as its argument, it reads the
login name from an environment variable instead of from the argument
vector.
A getty needs to be configurable to do the new or the old stuff.
Anybody have a few spare hours on his hands?
Roger.
--
| The secret of success is sincerity. Once you can | R.E.Wolff@BitWizard.nl
| fake that, you've got it made. -- Jean Giraudoux | T: +31-15-2137555
-We write Linux device drivers for any device you may have! Call for a quote-
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null