andrew@orca.UUCP (Andrew Klossner) (11/19/84)
[No white space here. Better luck next time, news eater bug] "Make /bin/login mode 500 owned by root and it will fail on exec, usually causing /etc/init to fork another copy of itself and the new user to thus get a fresh copy of /bin/login for normal login, or (perhaps with parentheses) an error message from the shell. This mode also makes realistic login simulators (of the sort that want to collect your password) harder to write, since they can't just exec /bin/login afterwards and leave the user no wiser." The big win of the builtin shell "login" command is that it logs me out and lets you log in without hanging up the modem line. If you chmod 500 /bin/login, then the line will drop when exec("/bin/login") fails. Inconvenient. -- Andrew Klossner (decvax!tektronix!orca!andrew) [UUCP] (orca!andrew.tektronix@csnet-relay) [ARPA]
thomas@utah-gr.UUCP (Spencer W. Thomas) (11/21/84)
In article <1173@orca.UUCP> andrew@orca.UUCP (Andrew Klossner) writes: > >The big win of the builtin shell "login" command is that it logs me out >and lets you log in without hanging up the modem line. If you chmod >500 /bin/login, then the line will drop when exec("/bin/login") fails. >Inconvenient. An easy fix (if you have source) is to have /bin/login check if its ppid == 1, and exit if not. Foils those recursive logins right away. Still doesn't protect against the password collectors, though. If you don't have source, compile the little program below (call it ./login) and mv /bin/login /etc/login; chmod 500 /etc/login cp ./login /bin/login chmod 777 /bin/login; chmod u+s /bin/login /* * Quick hack to prevent recursive logins. Install as /bin/login, after * copying /bin/login to /etc/login (mode 500). Must be setuid root. * * NOTE and DISCLAIMER - this is completely untested, I haven't even * compiled it. */ #include <stdio.h> main( argc, argv ) char **argv; { if ( getppid() !=1 ) { fprintf( stderr, "Can't do recursive logins\n" ); exit( 1 ); } execv( "/etc/login", argv ); perror( "Can't exec login" ); exit( 1 ); }
jsq@ut-sally.UUCP (John Quarterman) (11/22/84)
Quoting: The big win of the builtin shell "login" command is that it logs me out and lets you log in without hanging up the modem line. If you chmod 500 /bin/login, then the line will drop when exec("/bin/login") fails. Inconvenient. -- Andrew Klossner (decvax!tektronix!orca!andrew) [UUCP] (orca!andrew.tektronix@csnet-relay) [ARPA] Of course the chmod will cause that behavior. It is a very minor inconvenience. Another person uses my terminal and modem daily, and neither of us are bothered by this: most modems these days can re-dial a number on a couple of keystrokes. (I don't have much sympathy for people who only have 300 baud, either.) If you have a port selector which requires some sort of complicated negotiation, it might actually be enough of a hassle to allow recursive logins. Of course, you've then got to worry about things like mail return addresses, whether the various accounting commands and last(1) will work correctly, and the convenient availability of an executable /bin/login for use by crackers. We could argue about this endlessly. If you consider "inconvenient" alone to be the telling argument, I will not agree with you. How about we all go on to something else? -- John Quarterman, CS Dept., University of Texas, Austin, Texas 78712 USA jsq@ut-sally.ARPA, jsq@ut-sally.UUCP, {ihnp4,seismo,ctvax}!ut-sally!jsq
aeb@turing.UUCP (11/23/84)
> chmod 777 /bin/login; chmod u+s /bin/login > /* Must be setuid root. */ A very interesting suggestion, especially the part about 777 ! -- Andries Brouwer -- CWI, Amsterdam -- {philabs,decvax}!mcvax!aeb
thomas@utah-gr.UUCP (Spencer W. Thomas) (11/23/84)
>> chmod 777 /bin/login; chmod u+s /bin/login >> /* Must be setuid root. */ > >A very interesting suggestion, especially the part about 777 ! Oops, obviously, I meant 555. (Just a slip of the key). =S
andrew@orca.UUCP (Andrew Klossner) (11/25/84)
>In article <1173@orca.UUCP> andrew@orca.UUCP (Andrew Klossner) writes: >> >>The big win of the builtin shell "login" command is that it logs me out >>and lets you log in without hanging up the modem line. If you chmod >>500 /bin/login, then the line will drop when exec("/bin/login") fails. >>Inconvenient. > >An easy fix (if you have source) is to have /bin/login check if its ppid >== 1, and exit if not. Foils those recursive logins right away. If you use "rlogin", then during network connections, login is run as a child of a child of /etc/rlogind. Thus, if you install this fix, you disable remote logins. -- Andrew Klossner (decvax!tektronix!orca!andrew) [UUCP] (orca!andrew.tektronix@csnet-relay) [ARPA]