>The rlogind on my machine (a Motorola r32 box) using the shadow 3.3.x >package does not exhibit the bug. I'm wondering if it's a composite >bug between certain implementations of rlogind and login. I am of the >opinion that this is an important point to resolve due to the variety >of alternative implementations of rlogind and login out there... > >bugtraqers, > >Has anyone checked to see if Wietse Venema's rlogind in his logdaemon >package exhibits the same behavior with shadow 3.3.x login? If Wietse's logdaemon is compiled with OLD_LOGIN (the default if you don't define NEW_LOGIN), you can use it with shadow's /bin/login. In that case the username argument is not passed on the commandline, instead it is read from stdin by login. So it depends on your rlogin daemon: if the rlogin daemon does the protocol bit of the rlogin protocol, you might be vulnerable as it needs to call a login that understands the -f option and it needs to pass the username on the command line. If your login program does the rlogin protocol, you're not vulnerable. Some trick with a funny hostname spring to mind, but the hostname is always preceded with a -h so it is never interpreted other than a character string that is a hostname. Casper