[Pkg-shadow-devel] Bug#474933: root not logged out upon login, just stacks shell
jidanni at jidanni.org
jidanni at jidanni.org
Mon Apr 7 23:55:48 UTC 2008
Package: login
Version: 1:4.1.1-1
I discovered that now in addition to the broken
$ login
No utmp entry. You must exec "login" from the lowest level "sh"
for regular users. Now for root: he has unlimited power to
# login
That's right, piling up shells,
|-login --
| `-bash
| `-login
| `-bash
| `-pstree -a
because
Typically, login is treated by the shell as exec login which
causes the user to exit from the current shell.
on the man page is ignored.
Indeed, this is a security issue.
Why?
Because back in University, I could do
# login holmes
and walk away from the terminal, telling Mr. Holmes to continue as
usual.
Now when he is finished and logs out... gasp, a root shell is left
sitting on the terminal!
Or maybe he could just wait until I walked away and hit ^Z:
# login nobody
Password:
Login incorrect
jidanni1 login: ^Z
[1]+ Stopped login nobody
#
More information about the Pkg-shadow-devel
mailing list