Bug#556522: hurd - using the login shell is insecure

[Justus Winter <4winter@informatik.uni-hamburg.de>]

Hey Samuel :)

> Justus Winter, le Mon 10 Jan 2011 00:36:07 +0100, a écrit :
> > I incorporated some code from util-linuxs getty to make hurds getty
> > ask for a login name and pass that name to login. This way the
> > login shell is no longer needed. I also turned on logins --paranoid
> > flag to prevent it leaking whether a user exists or not.
> 
> Err, did you see my previous reply? It's all already implemented:
> 
> “Note: to do so we simply need to create a login account with default
> shell set to /bin/loginpr and home set to /etc/login.”

Hm, I read your message, but it obviously didn't came through >,<

Please find attached a revised patch that adds such an user in the
postinst script and changes the getty accordingly. Unfortunately it is
not as easy to remove the user once the getty spawned a session using
that user, so I added a message to inform the user how to manually
remove the user and group once the session has been terminated. Not
sure if that is the way to go though...

Cheers,
Justus

diff -r a95557dc73eb daemons/getty.c
--- a/daemons/getty.c	Tue Jan 11 00:00:32 2011 +0000
+++ b/daemons/getty.c	Tue Jan 11 23:38:12 2011 +0000
@@ -129,10 +129,10 @@
 
   if (tt && strcmp (tt->ty_type, "dialup") == 0)
     /* Dialup lines time out (which is login's default).  */
-    execl (_PATH_LOGIN, "login", "-e", arg, NULL);
+    execl (_PATH_LOGIN, "login", "--no-passwd", "-aMOTD", "-e", arg, "login", NULL);
   else
     /* Hardwired lines don't.  */
-    execl (_PATH_LOGIN, "login", "-e", arg, "-aNOAUTH_TIMEOUT", NULL);
+    execl (_PATH_LOGIN, "login", "--no-passwd", "-aMOTD", "-e", arg, "-aNOAUTH_TIMEOUT", "login", NULL);
 
   syslog (LOG_ERR, "%s: %m", _PATH_LOGIN);
 
diff -r a95557dc73eb debian/postinst
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/postinst	Tue Jan 11 23:38:12 2011 +0000
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = configure ]; then
+  add-shell /bin/loginpr || true
+  if ! getent passwd login >/dev/null; then
+    adduser --disabled-password  --quiet --system \
+      --home /etc/login --no-create-home --shell /bin/loginpr \
+      --gecos "login user" --group login
+  fi
+fi
+
+#DEBHELPER#
diff -r a95557dc73eb debian/postrm
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/postrm	Tue Jan 11 23:38:12 2011 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = purge ]; then
+  remove-shell /bin/loginpr
+  if ! deluser --quiet --system login > /dev/null; then
+    echo "
+Removing the user 'login' failed, most likely because the user is still
+logged in. To remove the user and group terminate the session in question
+and execute
+
+    deluser --quiet --system login
+    delgroup --quiet --system login
+"
+  else
+    delgroup --quiet --system login > /dev/null || true
+  fi
+fi
+
+#DEBHELPER#

Attachment: signature.asc
Description: PGP signature