Re: Environment Poisoning and login -p
From: Dag-Erling Smørgrav (des_at_des.no)
Date: 02/26/04
- Previous message: Tim Kientzle: "Environment Poisoning and login -p"
- In reply to: Tim Kientzle: "Environment Poisoning and login -p"
- Next in thread: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: kientzle@acm.org Date: Thu, 26 Feb 2004 11:14:40 +0100
Tim Kientzle <tim@kientzle.com> writes:
> There's been an ongoing discussion (started by
> Colin Percival's recent work on nologin) about
> environment-poisoning attacks via "login -p".
> [...]
You missed the obvious solution: remove login(1)'s setuid bit so it
only works if you are already root.
DES
-- Dag-Erling Smørgrav - des@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Tim Kientzle: "Environment Poisoning and login -p"
- In reply to: Tim Kientzle: "Environment Poisoning and login -p"
- Next in thread: Jacques A. Vidrine: "Re: Environment Poisoning and login -p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
