>> It seems that just about every system that has installed the "shadow" >> password suite (the free version from John F. Haugh II. It was posted >> on comp.sources.unix from memory.) is vulnerable with this. > >Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package. > >The arg processing in lmain.c uses getopt. >Is it a bug in some implementations of getopt? Or are you testing an >older version of the package than I have source code for (it appears to >be 3.3)? AIX login also uses getopt and both AIX and shadow use "f:" in the opt string. This f: is exactly the problem. Rlogind will allow you to pass one argument you get to choose. Both appear to have the same person involved (JF Haugh II) If login uses getopt with -f:, it will interpret an argument like -fuser the same as -f user, which is what causes the problem on AIX and it appears that the same problem exists in shadow 3.3.1. BSD versions of login either don't use getopt but require the options seperated by spaces (i.e., -pf fails, but -p -f is ok) or they use getopt but the -f option doesn't accept an argument. I have no idea whether shadow 3.3.x really has this problem, because I don't run it here. Casper