netbsd-bugs: Re: bin/620: security spoof possible with rlogin/telnet

Subject: Re: bin/620: security spoof possible with rlogin/telnet
To: None <lukem@dodo.melb.cpr.itg.telecom.com.au>
From: Charles M. Hannum <mycroft@gnu.ai.mit.edu>
List: netbsd-bugs
Date: 12/08/1994 04:47:47

   >Fix:
	   no actual patch, but the best way would be to change telnetd
	   and rlogind (and any other program that exec's login with
	   an unchecked argv) so that if a username started with `-',
	   or contained any character that's illegal in a username,
	   [...]

I disagree.  The `right' solution is to put a `--' argument in before
the user name, so that it can never be interpreted as an option.

I did this in my merged (with 4.4-Lite) copy of libexec, but I haven't
gotten around to finishing that, yet.