[4246] in bugtraq
Re: BoS: /etc/default/login LOCKOUT= creates arbitrary files (f
daemon@ATHENA.MIT.EDU (Eugene Bradley)
Tue Apr 8 16:24:31 1997
Date: Tue, 8 Apr 1997 08:30:48 +0000
Reply-To: ebradley@telesph.com
From: Eugene Bradley <ebradley@TELESPH.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.A32.3.93.970407161210.36092A-100000@navajo.gate.net>
I just tested this "LOCKOUT" variable hole in /etc/default/login
on my Solaris 2.5.1 box (with all relevant recommended & security
patches installed) -- no dice.
On 7 Apr 97 at 16:12, Illuminati Primus <vermont@GATE.NET> writes:
> Several modern unixes provide configuration options for security and logging
> in a file called /etc/default/login. Irix, and I assume some others but
> perhaps it's an Irix invention, includes a variable "LOCKOUT" which causes an
> account with a specified number of incorrect login attempts in a row to be
> locked (one successful login resets the count). This seems like a really good
> idea, especially if you set the variable high enough that no one would ever be
> locked out through mistakes whereas any automated password guessing program
> (which ran over the net by telnetting in) would be stopped. Since one
> successful login clears the record, people are not able to accumulate the
> requisite number of failures over an extended period of time so as to be
> suddenly surprised one day. It should be good, if not for the following
> serious security flaw, at least in Irix, checked in both 5.3 and 6.2.
[..deletia...]
> ajr <flaps@dgp.utoronto.ca>
--
Eugene Bradley
System Administrator, Telesphere Corporation--New York, NY
eugene.bradley@telesph.com
