[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (forw) Bug#298060: Please don't install login as setuid root

Op za, 05-03-2005 te 22:56 -0800, schreef Matt Zimmerman:
> On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> > Security and release teams, may I have your advice about this suggestion?
> > 
> > As you may know, I currently act as maintainer for the shadow package,
> > but I'm also aware of my own weaknesses when it comes at security (and
> > security-related) issues so I prefer getting the advice of more
> > competent people.
> > 
> > Given that installing login non setuid has been blessed for Ubuntu,
> > I'm inclined to follow the suggestion, but doing so close to a release
> > is maybe not wise.....so I'm seeking for advices..:-)
> FWIW, We've been doing this for some time in Ubuntu, and no one has missed
> it.  In this age of pseudoterminals and single-user systems...

On Linux.

I'm not exactly sure about this, but I think it might break the way the
Hurd does a login. On The Hurd, you don't get a login prompt; rather,
you get a login /shell/ which allows you to do some things without
having been logged on; loggin in then requires you to do 'login <user>'.
It /might/ be the case that this requires /bin/login to be setuid root,
but I'm not sure. Hurd developers (Cc'ed), care to shed some light here?

     smog  |   bricks
 AIR  --  mud  -- FIRE
soda water |   tequila
 -- with thanks to fortune

Reply to: