Re: Login not reading /etc/login.conf.db

To: tech-userlevel%netbsd.org@localhost
Subject: Re: Login not reading /etc/login.conf.db
From: christos%astron.com@localhost (Christos Zoulas)
Date: Wed, 25 Jun 2014 15:20:18 +0000 (UTC)

In article <20140625050140.45cde6b1%NetBSD.org@localhost>,
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost> wrote:
>Perhaps the behavior is correct but I can't see why.  I have my
>login.conf checked into my local SVN repo.  I tried to symlink it
>into /etc but that doesn't seem to work, probably for good reason.  So
>I tried compiling it from my repo with cap_mkdb outputting to /etc.
>
># cap_mkdb -f /etc/login.conf /...my_repo/login.conf
>
>This creates /etc/login.conf.db but when I log in I get basic
>defaults.  I then did "touch /etc/login.conf" and logged in again.
>This time I got the correct settings.  It seems that /etc/login.conf
>needs to exist before it will read /etc/login.conf.db even if it is
>empty.  Does this seem like correct behavior or should I open a PR?

Well, we could reconsider what secure_path(3) means. Right now it
only checks that the file referenced:
        is a plain file
        it is owned by root
        it is not writable by group or others

We could consider instead:
        - each component of the referenced path is a directory
          owned by root and not writable by group and others
        - only the last component of the path can be a symbolic link
          and if it is, the realpath() of that is secure.

christos

Follow-Ups:
- Re: Login not reading /etc/login.conf.db
  - From: D'Arcy J.M. Cain

References:
- Login not reading /etc/login.conf.db
  - From: D'Arcy J.M. Cain

Prev by Date: Re: sed -u option
Next by Date: Re: Login not reading /etc/login.conf.db
Previous by Thread: Login not reading /etc/login.conf.db
Next by Thread: Re: Login not reading /etc/login.conf.db
Indexes:

Home | Main Index | Thread Index | Old Index