Fix for /bin/login security hole.

Fix for /bin/login security hole.

Post by Kyle Hasselbach » Fri, 20 May 1994 03:46:17



        I hacked up this little C program to strip out -f arguments to
login.  It seems to work after a couple tests, but be warned:  this is my
first time using exec*() of any kind.  If someone sees a problem with this,
please post.

------------ begin C program ---------
#include <string.h>
#include <stdio.h>

#define REAL_LOGIN "/sbin/real.login"

main(argc,argv)
     int argc;
     char *argv[];
{
  register int i;
  register int j = 0;
  char *logarg[argc];

  for (i = 0; i < argc ; i++)
    if (*argv[i] != '-' || *(argv[i] + 1) != 'f')
      logarg[j++] = strdup(argv[i]);
  while (j < argc)
    logarg[j++] = NULL;
  execv(REAL_LOGIN,logarg);

Quote:}

---------------- End C program -------------
        This is what this program is set up as on my system:

---x--s--x   1 root     shadow      10617 May 18 13:42 /bin/login*

        And this is where I moved the original /bin/login:

---x--S---   1 root     shadow      24352 May 18 13:42 /sbin/real.login*

        Looking at it now, it seems as if I need to make /bin/login SUID
root so that it can run real.login too.  Hmmm.

        Once again, this was a quick hack.  Please look at it carefully for
problems and let me know if you find any.  Hope this helps.
--
Kyle Hasselbacher            All programmers are playwrights.

 
 
 

1. Giant security hole - it's really /bin/login...

I hope ppl are convinced now the hole is in /bin/login and
not in telnetd or rlogind or getty. If you don't find the
other posts convincing (esp. those that point out that
newer versions of login report an "illegal error" message)
try this cool trick that Karel just showed me: on one
of the console screens type at the login prompt:

<login:> -froot

guess what happens, yes, you'll be logged in as root! :-)

Peter

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| We will encourage you to develop the three great       | Peter Bouthoorn    |

|                          Larry Wall & Randal Schwartz  | linux addict       |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. any "dreamweaver " for linux

3. security fix for bin/login (C version)

4. Setting default file privileges for FTP uploads

5. putting message in /bin/fasle - potential security hole?

6. XF4.0 & trident 9685

7. /cgi-bin/phf security hole ?

8. [Dipeye Question-Please]

9. #! /bin/sh - setuid - Why is it a security hole?

10. putting message in /bin/false - potential security hole?

11. putting a message in /bin/false - security hole?

12. pwdauthd pwdauth() - Source Wanted in order to fix security hole.

13. Security Hole Fix?