[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hurd Login Utility

From: James Clarke
Subject: Hurd Login Utility
Date: Tue, 29 Sep 2015 12:19:20 +0100

Whilst looking through the code in utils/login.c, I noticed a security issue. 
Even if --paranoid is set, if you give it a UID that doesn’t exist (login 
treats it as a UID if the first character is a digit, with no fallback to 
treating it as a username), it will exit without prompting for a password (and 
of course prompts for a password if it is a valid UID!). Is this intentional?
I was also thinking that login should prompt for a username if not provided on 
the command line, as with Linux and BSD. This would in fact let us get rid of 
/bin/loginpr (currently we go via bash just to prompt for a username, and then 
exec login, which seems unnecessary). Thoughts?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]