The suid bit is set on the /usr/bin/login binary. This results in the system being susceptible to a manual (login) attack on user accounts (including root). An attack can be initiated by any user with a shell. (Also, consider a system with no root password - my preferred)
I briefly looked through /usr/src (grepped for '/usr/bin/login') and the only use I found of it was for the csh `login` built-in.
My suggested fix (untested): the csh `login` built-in should be restricted to the superuser and the /usr/bin/login should be mode 555.
Any thoughts?
Is login used anywhere else in the system (and by an unprivileged user)?
JP