Subject: Re: bin/620: security spoof possible with rlogin/telnet
To: None <lukem@dodo.melb.cpr.itg.telecom.com.au>
From: Charles M. Hannum <mycroft@gnu.ai.mit.edu>
List: netbsd-bugs
Date: 12/08/1994 04:47:47
>Fix:
no actual patch, but the best way would be to change telnetd
and rlogind (and any other program that exec's login with
an unchecked argv) so that if a username started with `-',
or contained any character that's illegal in a username,
[...]
I disagree. The `right' solution is to put a `--' argument in before
the user name, so that it can never be interpreted as an option.
I did this in my merged (with 4.4-Lite) copy of libexec, but I haven't
gotten around to finishing that, yet.