[651] in linux-security and linux-alert archive
Re: [linux-security] sliplogin hole explanation
daemon@ATHENA.MIT.EDU (Bryan Venable)
Tue Apr 2 18:08:25 1996
Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Resent-To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0u3SHw-000RocC@hole.botik.ru>
From: Bryan Venable <spif@www.students.missouri.edu>
To: Yury Shevchuk <sizif@botik.ru>
cc: Olaf Kirch <okir@monad.swb.de>, linux-security@tarsier.cv.nrao.edu
Date: Mon, 1 Apr 1996 15:31:45 -0600 (CST)
On Sun, 31 Mar 1996, Yury Shevchuk wrote:
> Perhaps other people are wiser, but I had a couple of accounts with
> login shell set to /bin/false... which is a shell script! I tried
> your exploit, works great. :-(
>
> Of course, this particular hole is easy to fix: reimplement :)
> /bin/false in C, and you are safe. But in general, the
> environment-passing feature of telnet seems to me a real Pandora box.
> The recent LD_LIBRARY_PATH hole, now the ENV hole, ... are you using
> perl for custom login shells? what about PERLLIB then? I'm afraid any
> interpreter around has at least one environment variable that can be
> exploited this way or that.
sounds like an unecessary hack to me. good 'ol /dev/null does the trick for
us. in fact, I'm not sure how this whole thing applies to sliplogin...
sliplogin is an ELF binary (at least on my system), not a shell script.
Bryan Venable | Technical Coordinator | MU Student Server
spif@students.missouri.edu | (573) 882-9491 | 132A Neff Annex, MU Campus
