Re: (forw) Bug#298060: Please don't install login as setuid root

To: debian-hurd@lists.debian.org
Subject: Re: (forw) Bug#298060: Please don't install login as setuid root
From: Ognyan Kulev <ogi@fmi.uni-sofia.bg>
Date: Tue, 08 Mar 2005 20:38:31 +0200
Message-id: <[🔎] 422DF127.9050200@fmi.uni-sofia.bg>
In-reply-to: <[🔎] 20050308182220.GH8797@chemicalconnection.dyndns.org>
References: <20050305143458.GL7778@mykerinos.kheops.frmug.org> <20050306065645.GQ15737@alcor.net> <[🔎] 1110297792.8417.73.camel@country.grep.be> <[🔎] 20050308182220.GH8797@chemicalconnection.dyndns.org>

/* Leave only debian-hurd@l.d.o */

Michael Banck wrote:

login   -- Falls back to unix-style if password server is not there.
           If we can presume the password server works, then we can
	   clear the setuid bit here.  (We could also remove the old
	   code, or leave it there for only root to be able to use w/o
	   server.)


I guess this is a good opportunity to review our suid login as well.

Detailed explanation for why /bin/login is Set-UID can be found inhttp://lists.gnu.org/archive/html/bug-hurd/2004-08/msg00273.html

I think that the first problem, with proc_setowner, can be fixed by just puttingit lower in the code or something like that -- I'm not sure.


But I don't know if we can handle chown tty without Set-UID.

Regards,
ogi

Reply to:

References:
- Re: (forw) Bug#298060: Please don't install login as setuid root
  - From: Wouter Verhelst <wouter@grep.be>
- Re: (forw) Bug#298060: Please don't install login as setuid root
  - From: Michael Banck <mbanck@debian.org>

Prev by Date: Re: console works, X aswell
Next by Date: gcc-3.4
Previous by thread: Re: (forw) Bug#298060: Please don't install login as setuid root
Next by thread: gcc-3.4
Index(es):
- Date
- Thread