[2070] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: /bin/login problem

daemon@ATHENA.MIT.EDU (Wietse Venema)
Mon Sep 7 22:13:13 1998

To: linux-security@redhat.com
Date: Sun, 6 Sep 1998 22:12:44 -0400 (EDT)
In-Reply-To: <199809042121.XAA07939@cave.BitWizard.nl> from Rogier Wolff at "Sep 4, 98 11:21:29 pm"
From: wietse@porcupine.org (Wietse Venema)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

Rogier Wolff:
> 
> Eric Dedrick wrote:
> [...]
> > login:  mistake
> [...]
> > a ps will show, among other things,
> > 
> > 2333 /bin/login --mistake.
> > 
> > Since some users accidentally type their password at the login prompt,
> > this is a concern.
> 
> Some people are writing linux security and suggesting that login could
> rewrite its argv to fix this. However even if the string is just
> momentarlily visible, it should be considered a serious problem.
> 
> What we need to do is change the interface between getty and login.
> But backward compatibility is also an issue. 

SYSV4 getty (actually, the tty port monitor) selects the terminal
for readability, but does not actually read the login name. It then
execs the login program, after setting the TTYPROMPT environment
variable to notify the login program that the username is available
on stdin.

See my logdaemon utilities.

	Wietse

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post