>While Solaris 2.3 may be immune to this from rlogin, I have had reports >that some people have been logging in, and then relogging in with >"exec login joeuser -hhostname" to obscure where they are logged in from. >This is usually traceable, but could conceivably cause problems too if >you rely on knowing where someone is logged in from to build a case against >them for cracking activity. And if my sentence was unclear, this *is* >under Solaris 2.3. Real simple fix: chmod 700 /bin/login. Why's that program set-uid anyway? It hasn't been set-uid here for a long time and has given us no problems. (Most login allow you to hide your fromabouts with "login username". This clears the ut_host bit of the utmp[x] file) Casper