fix for login
Vernon Schryver
vjs at rhyolite.wpd.sgi.com
Tue Mar 5 13:21:45 AEST 1991
In article <9103042232.AA00908 at euler.jsc.nasa.gov>, johnson at EULER.JSC.NASA.GOV (Stan Johnson) writes:
>
> I AM A LITTLE SURPRISED AT THE ABOVE REACTION FROM SGI TO THEIR CUSTOMERS'
> VALID CONCERNS ABOUT SECURITY HOLES IN /bin/login. THE ABILITY TO CHANGE
> ANOTHER USER'S PASSWORD BY SIMPLY GETTING ACCESS TO HIS OR HER ACCOUNT
> THROUGH rlogin SEEMS A VALID ENOUGH SECURITY REASON FOR SGI TO DISTRIBUTE
> A FIX. THERE MAY BE SOME GOOD REASONS NOT TO POST THE EXECUTABLE ON
> sgi.com, BUT THAT DOES NOT DIMINISH THE NEED TO COMMUNICATE THE INFORMATION
> TO CUSTOMERS IN ONE WAY OR ANOTHER.
>
> AND I DON'T THINK REQUESTING A FIX TO A SERIOUS PROBLEM FOR WHICH THERE
> IS A KNOWN FIX MAKES ANYONE A "SQUEAKY WHEEL", AS WAS SUGGESTED IN AN
> EARLIER MESSAGE FROM SGI.
>
> -STAN JOHNSON
> (713) 483-4692
> NASA / Johnson Space Center
> email: johnson at euler.jsc.nasa.gov
Please note that the fix for /bin/login does not close any security holes.
The problem is only that people are forced to run the passwd command after
being accepted as bona fide users. What happens is exactly the same as if
someone had first used rlogin, and then typed `passwd`. At worst, this
makes the new "password required" feature less useful. It does not allow
anyone any access to machines that they did not already have. In fact, it
effectively denies access.
The /bin/login bug is a serious bug, but so are many other bugs that we are
fixing for IRIX 4.0. If you view the /bin/login fix as serious enough, and
if you are a willing to pay enough for the fix before the next release, I
bet the support organization would be happy send you a tape via overnight
courier.
Please contact Silicon Graphics or the CERT hotline immediately if you know
of a security hole in the IRIX 3.3.2 /bin/login. Again, this fix to
/bin/login is not a security issue.
Vernon Schryver, vjs at sgi.com
More information about the Comp.sys.sgi
mailing list