[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (forw) Bug#298060: Please don't install login as setuid root

/* Leave only debian-hurd@l.d.o */

Michael Banck wrote:
login   -- Falls back to unix-style if password server is not there.
           If we can presume the password server works, then we can
	   clear the setuid bit here.  (We could also remove the old
	   code, or leave it there for only root to be able to use w/o

I guess this is a good opportunity to review our suid login as well.

Detailed explanation for why /bin/login is Set-UID can be found in http://lists.gnu.org/archive/html/bug-hurd/2004-08/msg00273.html

I think that the first problem, with proc_setowner, can be fixed by just putting it lower in the code or something like that -- I'm not sure.

But I don't know if we can handle chown tty without Set-UID.


Reply to: