On Mon, 2004-02-23 at 20:16, John Baldwin wrote: > On Monday 23 February 2004 02:58 pm, Doug Rabson wrote: > > On Mon, 2004-02-23 at 17:45, Colin Percival wrote: > > > As anyone who reads cvs-all (or Mark Johnston's wonderful > > > summaries thereof) will know, I recently added logging into > > > nologin(8): Instead of simply printing an error message, it > > > now (via syslog) records the refused login attempt. > > > For security reasons, nologin(8) must be statically linked; > > > as a result, adding logging has increased the binary size by > > > slightly over 100K (on i386). For historical reasons (which > > > is to say, "nobody seems to know why"), nologin is located in > > > /sbin, which means that this has a non-trivial effect upon > > > the space used on the root partition. Some people are unhappy > > > about this. > > > I can see a number of possible options; I'd like to hear > > > opinions on which would be the best. > > > > How about: > > > > 7: Use 'system("logger ...") to log the failed login? > > Wouldn't that be subject to the same LD_LIBRARY_PATH concerns since logger is > dynamically linked and you could trojan it's libc? Yes, but nologin will have the chance to sanitize its environment before running it.Received on Mon Feb 23 2004 - 13:38:33 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC