>Hmm, anyone can explain a bit more the recent CERT advisory on /etc/utmp. >I assume the attakers where able to obtain root by fooling programms that >only use the information in /etc/utmp for authentication, instead of >calling for the users user id and real user id. anyone mind extending >this description... Some programs will write directly to "devices" found in /etc/utmp, without validating that they are really user's tty devices. -Jeff -- Jeff Beadles jeff@neon.rain.com