I wrote a little script wrapper to install as /bin/login which I thinks will close up any of the current batch of holes ... I'm looking for comments, and hoping it might help somebody out. I think it's pretty bulletproof, but it's always possible I've missed something ... #!/bin/sh # by Doug McLaren, dougmc@comco.com, 05/22/94 # This script acts as a frontend to /bin/login and makes sure that programs # like in.telnetd, in.rlogind and getty don't pass it any bogus command # line parameters. # This script should not be setuid anything! # Installation: Rename the original /bin/login to /bin/login.dist, and make # this script the new /bin/login. Make sure 'logger' is set to the correct # location for your logger binary. # Problems this addresses: passing bogus -h and -f options to /bin/login. logger="/usr/bin/logger -t login" # The reason we seperate all parameters with ','s is so one can see exactly # what is being sent to /bin/login - "login -h foo" and "login '-h foo'" are # not the same ... $logger "'login $1,$2,$3,$4,$5,$6,$7,$8,$9'" executed by `whoami` deny_access () { echo "Go away, lamer." $logger "connection refused - attempted security breach!" exit 1 } # -p, -r, -f, -h are the only valid options I know of for the Linux # login. I haven't looked into any other versions of it. If login is # started with any other options, or with anything 'funky', exit. for i in "$@"; do # echo "Checking \'$i\' ..." case $i in -f) ;; -h) ;; -r) ;; -p) ;; *\ *) deny_access ;; -*) deny_access ;; *) ;; esac done # In this part, we don't allow two -h or -f options. I don't know if this # part is still needed, but it shouldn't hurt. I doubt it's bullet proof, # however. case " $*" in *\ -h*\ -h*) deny_access ;; *\ -f*\ -f*) deny_access ;; *) ;; esac # Ok, guess it all checks out ... execute the real /bin/login. exec /bin/login.dist "$@" -- Doug McLaren, dougmc@comco.com -- MONEY IS THE ROOT OF ALL EVIL! Send $9.95 for info