On 13 July 1998, Richard Thomas <rthomasat_private> wrote: > Discovered by Ted Hickman: > > Recently I noticed something rather "insecure" about the slackware 3.4 > /bin/login (and probably other versions). If the /etc/group file does > not exist, any user who logs into the system is given uid 0 gid 0. [...] > So whats the fix? Well first of all, change src/login.c to: > > if (setup_uid_gid(&pwent, is_console)) > exit(1); Not exactly a good idea AFAICT: I suppose you still want to login as root to create /etc/group after that... > If we wanted to be fancy we could continue to login even if > initgroups() fails (most likely you don't "need" those extra groups to > get into the system and fix it), but we gotta save something for the > shadow authors. =) [...] As I said, you'd probably have to do that anyway. Regards, Liviu -- Dr. Liviu Daia e-mail: daiaat_private Institute of Mathematics web page: http://www.imar.ro/~daia of the Romanian Academy PGP key: finger daiaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:04 PDT