[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: /bin/login problem

From: wietse porcupine org (Wietse Venema)
To: linux-security redhat com
Subject: [linux-security] Re: /bin/login problem
Date: Sun, 6 Sep 1998 22:12:44 -0400 (EDT)

Rogier Wolff:
> 
> Eric Dedrick wrote:
> [...]
> > login:  mistake
> [...]
> > a ps will show, among other things,
> > 
> > 2333 /bin/login --mistake.
> > 
> > Since some users accidentally type their password at the login prompt,
> > this is a concern.
> 
> Some people are writing linux security and suggesting that login could
> rewrite its argv to fix this. However even if the string is just
> momentarlily visible, it should be considered a serious problem.
> 
> What we need to do is change the interface between getty and login.
> But backward compatibility is also an issue. 

SYSV4 getty (actually, the tty port monitor) selects the terminal
for readability, but does not actually read the login name. It then
execs the login program, after setting the TTYPROMPT environment
variable to notify the login program that the username is available
on stdin.

See my logdaemon utilities.

	Wietse

References:
- [linux-security] Re: /bin/login problem
  - From: Rogier Wolff

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]