UNIX source vs. binary (NOT A LEGAL ARGUMENT)
sienkiew at udel-huey
sienkiew at udel-huey
Thu Feb 21 03:01:54 AEST 1985
>trap exit 1 2 3 15
>if [ "`tty`" != "/dev/console" ]
>then
> echo "root must log in on the console"
> exit 1
>fi
>trap 1 2 3 15
>
>there is probably a narrow window of vulnerability here.
The window is small, but it is there. If you put in .profile only the line
bye
it is still possible to log in to that account. By repeatedly hitting
interrupt after typing your password, you have a chance of catching
sh between it's signal() call and the execution of the first command.
I know this because this is exactly what someone did to me when I was
a novice Unix user. (This was on seventh edition unix.)
This same characteristic exists in HP-UX (a derivative of System III),
but I was unable to duplicate it with csh.
You might want to just rewrite login for your site--it's really a pretty
trivial program, and well worth it if the security is that important to
you.
Mark.
More information about the Comp.unix.wizards
mailing list