Bug#556522: hurd - using the login shell is insecure

[Justus Winter <4winter@informatik.uni-hamburg.de>]

Hey Samuel :)

> Justus Winter, le Wed 12 Jan 2011 00:39:35 +0100, a écrit :
> > diff -r a95557dc73eb daemons/getty.c
> > --- a/daemons/getty.c	Tue Jan 11 00:00:32 2011 +0000
> > +++ b/daemons/getty.c	Tue Jan 11 23:38:12 2011 +0000
> > @@ -129,10 +129,10 @@
> >  
> >    if (tt && strcmp (tt->ty_type, "dialup") == 0)
> >      /* Dialup lines time out (which is login's default).  */
> > -    execl (_PATH_LOGIN, "login", "-e", arg, NULL);
> > +    execl (_PATH_LOGIN, "login", "--no-passwd", "-aMOTD", "-e",
> > arg, "login", NULL); else
> >      /* Hardwired lines don't.  */
> > -    execl (_PATH_LOGIN, "login", "-e", arg, "-aNOAUTH_TIMEOUT",
> > NULL);
> > +    execl (_PATH_LOGIN, "login", "--no-passwd", "-aMOTD", "-e",
> > arg, "-aNOAUTH_TIMEOUT", "login", NULL); 
> >    syslog (LOG_ERR, "%s: %m", _PATH_LOGIN);
> 
> Mmm, why these?

You've got a point here. After reading the login programs source I
realized that 'login' is the default unprivileged user to use and that
spawning this session requires no password (btw, is there documentation
for hurds userspace tools that I am just unable to find?).

I'd argue to keep the -aMOTD though to prevent the motd from being
shown before the user logs in (weird thing is that the motd isn't shown
after the user logs in if loginpr is started by the getty but it is
shown if I start it manually. I grepped the env for motd but found
nothing that would indicate the reason for the different behaviour).

An revised patch is attached. Feel free to just drop the getty related
part if you should disagree on the MOTD thing.

Cheers,
Justus

diff -r a95557dc73eb daemons/getty.c
--- a/daemons/getty.c	Tue Jan 11 00:00:32 2011 +0000
+++ b/daemons/getty.c	Sun Jan 16 03:29:51 2011 +0000
@@ -129,10 +129,10 @@
 
   if (tt && strcmp (tt->ty_type, "dialup") == 0)
     /* Dialup lines time out (which is login's default).  */
-    execl (_PATH_LOGIN, "login", "-e", arg, NULL);
+    execl (_PATH_LOGIN, "login", "-aMOTD", "-e", arg, NULL);
   else
     /* Hardwired lines don't.  */
-    execl (_PATH_LOGIN, "login", "-e", arg, "-aNOAUTH_TIMEOUT", NULL);
+    execl (_PATH_LOGIN, "login", "-aMOTD", "-e", arg, "-aNOAUTH_TIMEOUT", NULL);
 
   syslog (LOG_ERR, "%s: %m", _PATH_LOGIN);
 
diff -r a95557dc73eb debian/postinst
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/postinst	Sun Jan 16 03:29:51 2011 +0000
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = configure ]; then
+  add-shell /bin/loginpr || true
+  if ! getent passwd login >/dev/null; then
+    adduser --disabled-password  --quiet --system \
+      --home /etc/login --no-create-home --shell /bin/loginpr \
+      --gecos "login user" --group login
+  fi
+fi
+
+#DEBHELPER#
diff -r a95557dc73eb debian/postrm
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/postrm	Sun Jan 16 03:29:51 2011 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = purge ]; then
+  remove-shell /bin/loginpr
+  if ! deluser --quiet --system login > /dev/null; then
+    echo "
+Removing the user 'login' failed, most likely because the user is still
+logged in. To remove the user and group terminate the session in question
+and execute
+
+    deluser --quiet --system login
+    delgroup --quiet --system login
+"
+  else
+    delgroup --quiet --system login > /dev/null || true
+  fi
+fi
+
+#DEBHELPER#

Attachment: signature.asc
Description: PGP signature