[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [linux-security] Buffer overflow in Linux's login program [Forwarded e-mail from Joe Zbiciak]

From: Jon Peatfield <J S Peatfield damtp cam ac uk>
To: linux-security redhat com
Cc: jp107 damtp cam ac uk
Subject: Re: [linux-security] Buffer overflow in Linux's login program [Forwarded e-mail from Joe Zbiciak]
Date: Mon, 23 Dec 1996 18:17:00 +0000

> Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

We always remove the suid bit on login on all our machines.  99.9% of users 
don't use the login command once logged in, and anyway is messes up wtmp/utmp 
entries.  We havn't had a single complaint yet about login not being available.

Some day I really will do a survey to find out which programs actually need 
setuid root.  Very few I'd guess.

[Mod: Just remeber that while by itself suid but does not do much for login,
it tells ld.so to ignore LD_ variables which can be used to supply a fake
libc -- alex]

Follow-Ups:
- Re: [linux-security] Re: Buffer overflow in Linux's login program
  - From: Wietse Venema

References:
- Buffer overflow in Linux's login program [Forwarded e-mail from Joe Zbiciak]
  - From: Jeff Uphoff

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]