[12186] in bugtraq
Problems with redhat 6 Xsession and pam.d/rlogin.
daemon@ATHENA.MIT.EDU (David Malone)
Fri Oct 8 19:43:19 1999
Message-Id: <199910071956.aa58337@salmon.maths.tcd.ie>
Date: Thu, 7 Oct 1999 19:56:46 +0100
Reply-To: David Malone <dwmalone@MATHS.TCD.IE>
From: David Malone <dwmalone@MATHS.TCD.IE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I've found two problems which seem to be present in RedHat 6.0 and RedHat 6.1.
They're not earthshatteringly bad, but...
1) Xsession on RedHat will start kde, gnome or anotherlevel
rather than running a user's .xsession file, if you choose
one of these from kdm. This is bad if you have account
which have a special shell and xsession which are supposed
to only allow one use of the account.
Maybe it would be sensible to check a user has a shell listed
in /etc/shells before starting a kde, gnome or anoterlevel
session for them.
2) In pam.d/rlogin allows you to log in, even if /etc/nologin
exists 'cos the line:
auth sufficient /lib/security/pam_rhosts_auth.so
is futher up the file than:
auth required /lib/security/pam_nologin.so
Easy to fix.
David.
