Hi!
On Fri, Apr 22, 2005 at 08:33:35AM +0200, Christian Perrier wrote:
Please explain me how, on a non compromised system, users can replace
the login program with something else.
I'm speaking of a simple childish script kiddy script that you start
as a normal local user *without* root
Please explain me how, on a non compromised system, users can replace
the login program with something else.
Wasn't that only you in
[EMAIL PROTECTED] who claims this? I'm
speaking of a simple childish script kiddy script that you start as a
normal local user *without* root access. I
* Christian Perrier [EMAIL PROTECTED] [2005-04-22 08:33]:
OK, as a normal user, I can start a fake login program and have it
mimic the bahaviour of /bin/login.
But, how could I really have other users run it and believe this is the
normal login program? Sending them an email which says
Tags: whishlist
* Matt Zimmerman [EMAIL PROTECTED] [2005-04-21 03:58]:
Correct, this can't be fixed in login, but only in the kernel. Also, the
kernel already provides this (via magic sysrq), so it seems that your issue
has been addressed.
I filed this bug against login because I thought it
I know. I have not installed vlock, lockvt, xlock, away, (which besides accept
passwords from stdin...) but unfortunately I cannot decline politely on login
and gdm.
And I would add that, if your system allows random users to replace
login by such a program, then you have much other
* Christian Perrier [EMAIL PROTECTED] [2005-04-21 19:15]:
I know. I have not installed vlock, lockvt, xlock, away, (which besides
accept
passwords from stdin...) but unfortunately I cannot decline politely on
login
and gdm.
And I would add that, if your system allows random
Package: login
Version: 1:4.0.3-30.7
Severity: important
Tags: security
Every local user can simply start a little program that imitates login and
grabs the password pretending it's wrong. It's really hard for the average user
to spot the difference and to make sure that he really didn't mistype
On Thu, Apr 21, 2005 at 02:33:35AM +0200, Gerhard Schrenk wrote:
IMHO the easiast security enhancement for password based local
authentication seems to be (anyone better ideas?) keysequences that can
only be catched by the kernel or apps that are suid root.
Correct, this can't be fixed in
8 matches
Mail list logo