sanand@radha.UUCP (Sanand Patel) (02/26/87)
In regards to running login from a non-login shell, I was under the impression that 'login' should refuse to run if it is not owned by 'init'. This would be so that you could not threaten the wtmp entry of a target user. However, I find that Ultrix 1.2, allows me to run /bin/login from any shell and thus subvert the wtmp file. Was this not a security hole closed a long time ago ? Does this happen under 4.2/3 BSD ? I am thinking about making /bin/login executable only by root -- any comments ? --- --- utzoo!dciem!radha!sanand --- seismo!mnetor!radha!sanand -- --- --- seismo!mnetor!radha!sanand --- utzoo!dciem!radha!sanand --- 416-293-9722 ext248