>>Here's the snippet from the Makefile where login is installed:
>> install -m4755 login $(LOGINDIR)/_login
>> install -m4711 login.secure $(LOGINDIR)/login
>>So how secure can it be that there are no sources.
I apologize. I am the author of the /bin/login replacement that is included
in the shadow-mk package. Mohan Kokal, the author of the shadow-mk package,
is not to blame. I had asked him not to distribute my (ugly) source. :-)
Quote:>Ok, I will now follow up on my earlier post about the shadow-mk
>I would advice anyone that has installed this package to remove it.
This is not necessary. The source for the binary in question will be
posted later this evening. I need to return to my linux box in order
to upload it. I do not have it readily available at the moment.
Quote:>I have received an email from someone who also noticed the
>installation of the login.secure binary, for which no source is
I will post the source to the /bin/login replacement that I wrote, and trust
on my own system. I did not realize that the net would grow so suspicious.
I should have known better. :-) After all, it could be snake oil, for
all the net knows. I realize now, especially after reading the files
focusing on security issues that were included with PGP, that it is *very*
important to make the source available to public scrutiny. Indeed, for
similar reasons, I do not trust Clipper encryption (aside from the gov't
I will also post the version of GCC with which is was compiled, the version
of libc with which it was compiled, and the compilation flags, so that
each person make verify that it is indeed the source from which that
binary was created. I will also have Mohan Kokal include the source in
future versions of the shadow-mk package.
In the meantime, I will detail how my patch works, and how it closes the
now well known hole:
My patch simply forces all argv elements beginning with a - to be no
longer than 2 characters long, by writing a 0 into the third position
after the dash. Thus, if a user tries login -froot, the "r" in root
would be overwritten, and the remainder, "oot", would be affectively
Furthermore, my patch addresses another security issue, the misuse of
the semi-documented -h switch, by disallowing anyone with a real uid greater
than 100 from using it.
Once all paramters have been patched, and the absence of -h is assured if
UID>100, all parameters are passed to an unmodified /bin/_login.
The new /bin/login is statically linked, using maximum optimizations,
and is stripped, to make the smallest possible binary.
Again, as I said, the source will be posted later this evening, along with
GCC version, libc version, optimization flags, and so on.
Quote:>In his correspondence with the author of this package, that author,
>in his helpfulness, asked for a temporary account on his machine, and
>having been denied that, asked for the password file. The emailer
>also told me he has observed the author of this package to be
>bragging about violating computer security.
To whom are you referring? Mohan Kokal may have a number of accounts on
various Linux boxes, for various reasons. If you are referring to one
of these accounts, please make known the circumstances in greater detail
than you have. This is an accusatory statement based on heresay and
Furthermore, "bragging about violating computer security" may be something
as simple as "whoa... on an older Linux box, I noticed a hole in crontab
that allowed such and such..." or "yeah, I used rlogin to gain root--that
old /bin/login was a joke."
I, as well as some others, I am certain, would like to see a factual basis
for this outright character assassination that you are making. I have no
reason to doubt that you may be able to support your statements. However,
I also have NO reason whatsoever to believe any of your closing statements.
--Joseph R. M. Zbiciak, System Administrator, Texas Networking Systems, Inc.
:- - cegt201.bradley.edu - -:
: - camelot.bradley.edu - :
If it works, Don't fix it. :-Finger for PGP Public Key-:
:======= DISCLAIMER: =======:
: He flamed me first! :