John Baldwin wrote: > > My point (sigh) is that doing system("logger") has the same problem set as > making nologin dynamic ... No, it doesn't. Not if you make nologin static and have it create a fresh environment before running any external programs. This would also be considerably more compact than statically linking in the logging functions. > Also, personally, I would rather have nologin be static than fix the one > known case of login -p and just hope no other cases pop up in the future. > Call me paranoid. :) Armoring nologin(8) is insufficient. In particular, as David Schultz pointed out, there are a lot of home-grown nologin scripts out there that are potentially vulnerable regardless of what we do with the "official" nologin program. Tim KientzleReceived on Mon Feb 23 2004 - 13:28:04 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC