[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: /bin/login problem
- From: R E Wolff BitWizard nl (Rogier Wolff)
- To: linux-security redhat com
- Subject: [linux-security] Re: /bin/login problem
- Date: Fri, 4 Sep 1998 23:21:29 +0200 (MEST)
Eric Dedrick wrote:
[...]
> login: mistake
[...]
> a ps will show, among other things,
>
> 2333 /bin/login --mistake.
>
> Since some users accidentally type their password at the login prompt,
> this is a concern.
Some people are writing linux security and suggesting that login could
rewrite its argv to fix this. However even if the string is just
momentarlily visible, it should be considered a serious problem.
What we need to do is change the interface between getty and login.
But backward compatibility is also an issue.
For example we could do the following:
An adapted login can rewrite its argv as soon as possible. This to
remain compatible with getty's that don't know about the newer
interface.
If a new login finds "no_such_user" as its argument, it reads the
login name from an environment variable instead of from the argument
vector.
A getty needs to be configurable to do the new or the old stuff.
Anybody have a few spare hours on his hands?
Roger.
--
| The secret of success is sincerity. Once you can | R E Wolff BitWizard nl
| fake that, you've got it made. -- Jean Giraudoux | T: +31-15-2137555
-We write Linux device drivers for any device you may have! Call for a quote-
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]