[2072] in linux-security and linux-alert archive
[linux-security] Re: /bin/login problem
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Wed Sep 9 17:45:45 1998
In-Reply-To: <19980909014749.8EC9345BC4@spike.porcupine.org> from Wietse Venema at "Sep 8, 98 09:47:49 pm"
To: wietse@porcupine.org (Wietse Venema)
Date: Wed, 9 Sep 1998 18:28:40 +0200 (MEST)
Cc: linux-security@redhat.com
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Wietse Venema wrote:
> Rogier Wolff:
> > Passing the string through a pipe works (I didn't find that "obvious":
> > The sending end of the pipe was written to by the same process, which
> > just exec-ed the reading program, and the writing end of the pipe is
> > closed by the time the read is performed)
>
> It seems much simpler to me to select the terminal for readability
> (i.e. until someone hits the ENTER key) and to notify the login
> program that it can find the name on STDIN instead of finding it
> on the command line.
>
> The TTYPROMPT environment variable used by SYSV4 does not pass
> sensitive info via the environment; it is just a flag to notify
> the login program that the login name is available on STDIN. All
> this requires minimal change to the login progam: a getenv() call
> and setting a flag to force reading STDIN upon program startup.
>
> Yes, this means that you lose all those cutesy features of my agetty
> program. But login/getty code runs as root and is extremely security
> sensitive. Keep it simple, I'd say.
>
> Wietse
>
One of the classical "getty" features that you loose this way is
the autobauding that classical getty's perform. (i.e. read a
character, and change the baudrate whenever it's "bad")
Roger.
--
| The secret of success is sincerity. Once you can |R.E.Wolff@BitWizard.nl
| fake that, you've got it made. -- Jean Giraudoux | phone: +31-15-2137555
We write Linux device drivers for any device you may have! fax: ..-2138217
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null