Re: strange result when typing wrong password

To: Niels Möller <nisse@lysator.liu.se>
Cc: Niklas Söderlund <niklas.soderlund@chello.se>, debian-hurd@lists.debian.org
Subject: Re: strange result when typing wrong password
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 8 Jun 2002 02:06:14 +0200
Message-id: <[🔎] 20020608000614.GC737@212.23.136.22>
In-reply-to: <[🔎] nn660w98ek.fsf@fafner.lysator.liu.se>
References: <[🔎] 20020605215644.47a4c057.niklas.soderlund@chello.se> <[🔎] nnelfl8oor.fsf@fafner.lysator.liu.se> <[🔎] 20020605222637.3c63b90b.niklas.soderlund@chello.se> <[🔎] nnadq98nkn.fsf@fafner.lysator.liu.se> <[🔎] 20020605225440.72f137ec.niklas.soderlund@chello.se> <[🔎] nn660w98ek.fsf@fafner.lysator.liu.se>

On Thu, Jun 06, 2002 at 09:24:35AM +0200, Niels Möller wrote:
> There are four more bits than the traditional rwxrwxrwx. And you want
> to do is modify those bits on /etc/passwd to say (i) processes that
> have no uid:s at all are not included in "others", and (ii) such
> processes are not allowed to access /etc/passwd.

You achieve this by setting bit S_IUSEUNK:

/* If the S_IUSEUNK bit is set, then the S_IUNKNOWN bits (see below)
   control access for unknown users.  If S_IUSEUNK is clear, then unknown
   users are treated as "others" for purposes of access control.  */
#define S_IUSEUNK       000000400000

and clearing the bits in S_IUNKNOWN:
/* Mask of protection bits for unknown users (no effective IDs at all).  */
#define S_IUNKNOWN      000007000000

> But it's harder than it sounds, because chmod doesn't yet know about
> those bits. There have been some patches on the hurd-bugs mailing list.

But chmod knows about octal numbers!  ;)  So you can actually just calculate
the right octal number and pass it to chmod on the command line, IIRC.

Something like

# chmod 0400644 /etc/passwd

should do the job (untested!).

> Also the default for the bit that decides whether or not no-uid
> processes are included in "others" isn't really decided yet.

Yep, that's still open.  The current behaviour is documented above.

> And at last, if you have the login shell only on the console (that's
> the default behavior, iirc),

Unfortunately not.  I didn't bother to figure out yet which place I have to
change to make it use /bin/loginpr on incoming connections, rather that
/bin/login.  Or should we swap the programs and configure the local console
to use something different than /bin/login?  Someone please send a patch! :)

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de

-- 
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: strange result when typing wrong password
  - From: ams@kemisten.nu (Alfred M. Szmidt)

References:
- strange result when typing wrong password
  - From: Niklas "Söderlund" <niklas.soderlund@chello.se>
- Re: strange result when typing wrong password
  - From: nisse@lysator.liu.se (Niels Möller)
- Re: strange result when typing wrong password
  - From: Niklas "Söderlund" <niklas.soderlund@chello.se>
- Re: strange result when typing wrong password
  - From: nisse@lysator.liu.se (Niels Möller)
- Re: strange result when typing wrong password
  - From: Niklas "Söderlund" <niklas.soderlund@chello.se>
- Re: strange result when typing wrong password
  - From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: Re: debootstrap (sort of) working
Next by Date: Re: strange result when typing wrong password
Previous by thread: Re: strange result when typing wrong password
Next by thread: Re: strange result when typing wrong password
Index(es):
- Date
- Thread