netbsd-users: Re: root password : security hole ?

Subject: Re: root password : security hole ?
To: David Laight <david@l8s.co.uk>
From: Quentin Garnier <netbsd@quatriemek.com>
List: netbsd-users
Date: 03/12/2003 12:20:31
Le Wed, 12 Mar 2003 10:49:35 +0000
David Laight a écrit :
> > The problem lies in usr.bin/login/login.c, near line 492 :
> > 
> > /*
> >  * If trying to log in as root without Kerberos,
> >  * but with insecure terminal, refuse the login attempt.
> >  */
> > if (pwd && !rval && rootlogin && !rootterm(tty)) {
> > 
> > First of all, the comment preceding the test is misleading : Kerberos
> > authentication doesn't skip the test since revision 1.29. It should be
> > removed.
> 
> Should the 'pwd' be removed as well?
> The fact that root doesn't have a password shouldn't mean you can login
> from anywhere.

Indeed, but pwd is needed by the log message. Besides, rootlogin can be
set to 1 only if pwd is not NULL.

> > IMHO, there should be a (rootlogin && !rootterm(tty)) test even before
> > asking for a password, but at first we can remove the test of rval
> > value.
> 
> Ask for the password first, but always report it as invalid.  That
> way the hacker sits there trying other passwords instead of going to
> a different system....

I think we'd better not mislead the wheel member that tries login as root.
That case seems more likely to me than a brute force hacker.

What about this ?

Index: login.c
===================================================================
RCS file: /cvsroot/src/usr.bin/login/login.c,v
retrieving revision 1.72
diff -u -r1.72 login.c
--- login.c     2003/01/01 00:00:14     1.72
+++ login.c     2003/03/12 11:20:06
@@ -485,11 +485,7 @@
                (void)setpriority(PRIO_PROCESS, 0, 0);
 
        ttycheck:
-               /*
-                * If trying to log in as root without Kerberos,
-                * but with insecure terminal, refuse the login attempt.
-                */
-               if (pwd && !rval && rootlogin && !rootterm(tty)) {
+               if (pwd && rootlogin && !rootterm(tty)) {
                        (void)fprintf(stderr,
                            "%s login refused on this terminal.\n",
                            pwd->pw_name);
@@ -501,13 +497,10 @@
                                syslog(LOG_NOTICE,
                                    "LOGIN %s REFUSED ON TTY %s",
                                     pwd->pw_name, tty);
-                       continue;
-               }
-
-               if (pwd && !rval)
+               } else if (pwd && !rval)
                        break;
-
-               (void)printf("Login incorrect\n");
+               else
+                       (void)printf("Login incorrect\n");
                failures++;
                cnt++;
                /* we allow 10 tries, but after 3 we start backing off */

-- 
Quentin Garnier - cube@cubidou.net
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.