Subject: Re: bin/620: security spoof possible with rlogin/telnet
To: None <firstname.lastname@example.org>
From: Charles M. Hannum <email@example.com>
Date: 12/08/1994 04:47:47
no actual patch, but the best way would be to change telnetd
and rlogind (and any other program that exec's login with
an unchecked argv) so that if a username started with `-',
or contained any character that's illegal in a username,
I disagree. The `right' solution is to put a `--' argument in before
the user name, so that it can never be interpreted as an option.
I did this in my merged (with 4.4-Lite) copy of libexec, but I haven't
gotten around to finishing that, yet.