Re: denial of service attack on login

[laura () sobolev rhein de (Bettina Fink)]

In article <2.2.32.19961202024506.0098e6a0 () dux isec pt>, NuNO <nuno () dux isec pt> wrote:
>  The following denial of service attack seems to work on the above systems
> with the standard login application.
>
>         joe$ nvi /var/log/wtmp
>
>         [ Now no-one else can log in ]
>
> This is a problem with advisory locking. The fact that anyone can create an
> exclusive lock on a file they can only read!

The problem with locking of /var/log/wtmp by nvi affects not only "login".
This also works on agetty and mingetty even when the "login" bug is fixed.
A simple user can lock wtmp by "nvi /var/log/wtmp" without having write
permission on it.

If you have fixed it for "login", you can still log in your system, but
if you try to log _out_, the tty is dead until the lock is removed.

The author of mingetty, Florian La Roche, has been informed, he will fix
it for mingetty.
I'll also send a mail to Nicolai Langfeldt (maintainer of util-linux) to
inform him about the agetty problem if he doesn't already know this.

--
EMail: laura () caissa franken de
            PGP public key on demand or finger pgp () caissa franken de