Bugtraq mailing list archives

Fix for Linux/AIX login hole

From: dougmc () graphite comco com (Doug McLaren)
Date: Mon, 23 May 1994 00:55:39 -0500 (CDT)


I wrote a little script wrapper to install as /bin/login which I
thinks will close up any of the current batch of holes ... I'm looking
for comments, and hoping it might help somebody out.  I think it's
pretty bulletproof, but it's always possible I've missed something ...

#!/bin/sh
# by Doug McLaren, dougmc () comco com, 05/22/94

# This script acts as a frontend to /bin/login and makes sure that programs
# like in.telnetd, in.rlogind and getty don't pass it any bogus command
# line parameters.

# This script should not be setuid anything!

# Installation:  Rename the original /bin/login to /bin/login.dist, and make
# this script the new /bin/login.  Make sure 'logger' is set to the correct
# location for your logger binary.

# Problems this addresses: passing bogus -h and -f options to /bin/login.

logger="/usr/bin/logger -t login"

# The reason we seperate all parameters with ','s is so one can see exactly
#    what is being sent to /bin/login - "login -h foo" and "login '-h foo'" are
#    not the same ...

$logger "'login $1,$2,$3,$4,$5,$6,$7,$8,$9'" executed by `whoami`

deny_access () {
   echo "Go away, lamer."
   $logger "connection refused - attempted security breach!"
   exit 1
}

# -p, -r, -f, -h are the only valid options I know of for the Linux
# login.  I haven't looked into any other versions of it.  If login is
# started with any other options, or with anything 'funky', exit.
for i in "$@"; do
   # echo "Checking \'$i\' ..."
   case $i in
      -f) ;;
      -h) ;;
      -r) ;;
      -p) ;;
      *\ *) deny_access ;;
      -*) deny_access ;;
      *) ;;
   esac
done

# In this part, we don't allow two -h or -f options.  I don't know if this
# part is still needed, but it shouldn't hurt.  I doubt it's bullet proof,
# however.
case " $*" in
   *\ -h*\ -h*) deny_access ;;
   *\ -f*\ -f*) deny_access ;;   
   *) ;;
esac

# Ok, guess it all checks out ... execute the real /bin/login.
exec /bin/login.dist "$@"


-- Doug McLaren, dougmc () comco com
-- MONEY IS THE ROOT OF ALL EVIL! Send $9.95 for info

Current thread:

Re: AIX rlogind, (continued)
- - - Re: AIX rlogind Kevin Johnson (May 22)
    - Re: AIX rlogind Casper Dik (May 22)
    - Re: AIX rlogind Kevin Johnson (May 22)
    - Re: AIX rlogind Casper Dik (May 22)
    - Re: AIX rlogind Peter Wemm (May 22)
    - Re: AIX rlogind matthew green (May 22)
    - Re: AIX rlogind Paul A Vixie (May 23)
    - Fix for Linux/AIX login hole Karyn Pichnarczyk (May 23)
    - Re: Fix for Linux/AIX login hole Rens Troost (May 23)
    - Re: AIX rlogind Bonfield James (May 24)
    - Fix for Linux/AIX login hole Doug McLaren (May 22)
    - Re: Fix for Linux/AIX login hole Tony Jago (May 23)
    - Re: AIX rlogind Wietse Venema (May 23)
    - AIX Fix Mark Fullmer (May 22)
    - various rlogind stuff, plus new telnetd stuff (was Re: AIX rlogind) matthew green (May 22)
    - Re: AIX rlogind Peter Wemm (May 22)
- Re: ruserok() & /etc/hosts.equiv Daniel Azuelos (May 13)
- Re: ruserok() & /etc/hosts.equiv Carl Corey (May 20)