------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"

Hi,

I would like to re-offer this patch for login.c.  This patch fixes what I
consider to be an inconsistent handling of the "secure" flag in the ttys
file.  The omission of the "secure" flag is supposed to prevent root from
logging in on that particular tty.  However, if root has an empty password,
that check is effectively bypassed by the current code.

Please, do not try to convince me that running with no root password is bad
for me -- I know perfectly well what it does to my own system security.
For others using passwords for the root account, this fix should have no
impact, although I have not tested it.

Thanks in advance (but only if you find this worthy of inclusion :-),

- Havard

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-Description: login.c patch

*** login.c.old	Sun Jul 18 22:16:07 1993
--- login.c	Sun Jul 18 22:16:27 1993
***************
*** 232,237 ****
  		 */
  		if (pwd && (*pwd->pw_passwd == '\0' ||
! 		    fflag && (uid == 0 || uid == pwd->pw_uid)))
  			break;
  		fflag = 0;
  		if (pwd && pwd->pw_uid == 0)
--- 232,244 ----
  		 */
  		if (pwd && (*pwd->pw_passwd == '\0' ||
! 		    fflag && (uid == 0 || uid == pwd->pw_uid))) {
! 			if (fflag) break; /* already authenticated */
! 			if (pwd && pwd->pw_uid == 0) { /* login as root */
! 				rval = 0;	/* pretent password ok */
! 				rootlogin = 1;
! 				goto ttycheck;	/* but still check tty! */
! 			}
  			break;
+ 		}
  		fflag = 0;
  		if (pwd && pwd->pw_uid == 0)
***************
*** 257,260 ****
--- 264,268 ----
  		(void)setpriority(PRIO_PROCESS, 0, 0);
  
+ ttycheck:
  		/*
  		 * If trying to log in as root without Kerberos,

------- =_aaaaaaaaaa0--

------------------------------------------------------------------------------