On Mon, Feb 23, 2004, Colin Percival wrote: > I can see a number of possible options; I'd like to hear > opinions on which would be the best. This is the third time this issue has been discussed, so before the same arguments are rehashed, I'd like to lay out a simple plan that I think people are unlikely to object to. (If anyone *does* object, please say so.) (1) Fix login(1) so that it disables the -p option when the target user's shell is not in /etc/shells (unless the invoking user is root), and (2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. After that, people are welcome to debate whether to make nologin dynamically linked again (which should be safe), whether to move it to /usr/sbin (which sounds reasonable, but won't matter as much anymore), and whatnot. I just don't want to (once again) get into a big debate that ends up getting derailed so that nobody gets anything done. P.S. Both of these ideas are due to Tim Kientzle.Received on Tue Feb 24 2004 - 13:37:25 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC