[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAMified login?



Theodore Y. Ts'o:
> Yes, it's still necessary but you have to make sure it's done right.
> The basic idea is to prevent an attacker from leaving a program behind
> that has an open file descriptor on the tty.  This could allow the
> attacker to steal keystrokes, or stuff characters down the user's login
> session. 

OK, maybe my question wasn't clear: is it still necessary to do it
*in login*?  No other login sources I know of (*BSD, logdaemon, OPIE)
do it (presumably because it is already done by getty/telnetd/rlogind
etc.) but if it's a security problem on Linux, then I should add it
to the shadow login as well.  But then, it looks like a difference
between Linux and other systems which don't need vhangup() in login
- maybe something to fix on the Linux side?).

Thanks,

Marek



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []